ESET released its 2026 SMB Cyber Readiness Index – North America edition. This new report surveyed hundreds of small and medium-sized businesses (SMBs) from across the United States and Canada to uncover new insights into their cyber resilience, incidents and reporting, perceived threats, and investments – while analyzing the current appetite for managed services, cyber insurance and AI-powered applications.
In this new report, 87% of U.S. and 83% of Canadian SMBs said that they feel slightly to very confident that their business is cyber resilient. Across both countries, cyber resilience confidence rose to 91% and 88%, respectively, for businesses that had more than one cyber incident in the last year (over businesses that had zero or one incident during that timeframe). Across both regions, about half of respondents (47% in the U.S. and 52% in Canada) said that they don’t expect a change in cybersecurity budget this year.
“SMBs in the U.S. and Canada are entering a new phase of cybersecurity where attacks are becoming the new norm and an expected part of business operations,” said Tony Anscombe, Chief Security Evangelist at ESET. “We’ve seen significant shifts in how SMBs perceive today’s risks and how they prepare for them, relying more on cyber insurers to provide cybersecurity services and as a core part of their resilience strategy. While SMBs are worried about headline catching AI‑driven threats, most breaches are still a result of social engineering coupled with human error – including phishing, credential compromise and third party/supply chain risk.”
In order to manage cyber-attacks, SMBs are increasingly including cyber insurance in their resilience strategies to ensure compliance, financial stability and peace of mind when incidents occur. Today, 86% of U.S. SMBs carry cyber insurance, with over half deploying specific security controls (e.g., MFA, IAM, EDR/MDR) as part of their coverage conditions. Canadian SMBs only trail slightly with 78% carrying cyber insurance. In both countries, respondents who have had more than one incident are more likely to carry insurance.
On the AI front, Canadians are more cautious about the deployment of new AI applications than their U.S. counterparts. 69% of Canadian respondents said that they are integrating AI applications into their organization compared to 81% of U.S. respondents.
The 2026 Index surveyed 700 cybersecurity decision-makers across U.S. and Canadian organizations with 25 to 1,000 endpoints, uncovering new insights into SMB cyber readiness, incident response, cybersecurity tools and management, insurance and compliance, AI strategy, and more. Here are some additional highlights from the report released today:
“Perception vs. Reality”: Are SMBs Worried About the Right Threats?
· SMBs across the U.S. (32%) and Canada (34%) say AI-powered malware is their top concern for the year ahead, a signal of how dominant AI has become in headlines and boardroom conversations.
· But the actual causes of breaches paint a very different picture. In the U.S., the leading drivers of cyber incidents remain phishing (27%), lack of security monitoring (27%) and unpatched security vulnerabilities (25%). In Canada, attacks most often stem from phishing (21%), weak passwords (20%), and insufficient security monitoring (20%).
· Meanwhile, one of the most consequential risks, supply chain compromise, barely registers among SMBs’ top concerns in the survey, ranking eighth (17%) among U.S. respondents and 10th (16%) for Canadians – despite the potential for widespread downstream impact.
· Finally, 82% of U.S. and Canadian SMBs agree that cyber warfare and global conflict pose a real threat to their business, underscoring how interconnected today’s risks are.
Cyber Insurance is Influencing Security Behavior
· Incident experience is a major driver of cyber risk insurance adoption: 95% of U.S. and 92% of Canadian SMBs that suffered multiple incidents carry insurance, compared to 77% of U.S. and 68% of Canadian businesses with no incidents.
· In both markets, insurers are playing a more direct role in shaping security posture: 55% of insured U.S. SMBs and 41% of insured Canadian SMBs are required to implement specific controls, often involving continuous monitoring or MDR‑style services, as a condition of coverage.
· Of SMBs surveyed, 16% U.S. and 19% of Canadian respondents say that they outsource some or all of their cybersecurity. Of the U.S. companies that outsource, 35% of SMBs now outsource security to a cyber insurer offering MDR, 21% use an MDR vendor, 17% rely on an MSP/MSSP with MDR, and 27% still use a traditional MSP.
· Of the Canadian companies who outsource, 27% of SMBs now outsource security to a cyber insurer offering MDR, 8% use an MDR vendor, 27% rely on an MSP/MSSP with MDR, and 38% still use a traditional MSP.
Anscombe noted, “In cybersecurity, diversity is necessary to achieve a resilient ecosystem. While it’s heartening to see SMBs adopt cyber risk insurance, there needs to be greater awareness of potential monoculture issues as North American cyber insurers that provide managed services typically offer a limited choice of services and products. In fact, 72% and 66% of US and Canadian businesses respectively are concerned with the implications of single vendor ecosystems (i.e., security monocultures).”
Confidence Rising Meets Increasing Attacks
· Even as confidence rises, cyberattacks remain widespread across the U.S. and Canada, reinforcing the sense that cybersecurity incidents are now an inevitable part of doing business.
· In the U.S., 54% of SMBs experienced an incident in the past 12 months, including 22% who faced multiple breaches. Canada shows a similar trend, with 46% reporting at least one incident and 12% experiencing more than one. These numbers highlight how frequently SMBs are being targeted and successfully compromised, despite increased awareness and stronger budgets.
· This growing prevalence is shaping how SMBs think about risk, pushing many to build processes that assume disruption rather than hope to avoid it altogether. In fact, organizations with multiple incidents show the highest confidence levels. In the U.S., 52% of those with repeat incidents (and 42% of Canadians) identify as “very confident,” compared to firms with only one or no incidents.
· These repeatedly targeted organizations also report the strongest budgets, with 45% of U.S. SMBs in this category describing their cybersecurity funding as “more than sufficient” and expecting additional investment increases. Canadian firms were less enthusiastic with their budget – with 25% identifying their budgets as “more than sufficient.”
· Finally, cybersecurity confidence does not always correlate with company size in the United States. Larger U.S. SMBs (500–1,000 endpoints) are less likely to deploy advanced, proactive measures such as threat detection and response (24%) than smaller SMBs (34%), indicating that operational complexity may be outpacing modernization efforts even as confidence rises.
SMBs are Still Investing in Awareness & Training
· Across both the U.S. and Canada, cyber awareness training emerges as the top investment priority for the year ahead, reinforcing the reality that human error remains the most exploited weakness in today’s attacks.
· Over 90% of SMBs in both countries say training is “critical” or “very important,” with 42% of U.S. SMBs and 43% of Canadian SMBs planning to increase these investments in the next 12 months—making it the leading budget category in both markets.
· Nearly half of SMBs now go beyond basic training: 44% of U.S. organizations and 47% in Canada use structured programs that include phishing simulations, a shift likely driven by rising concern over AI‑driven phishing techniques and deepfake‑enabled impersonation threats.
· This emphasis on strengthening the human layer aligns closely with incident data, as phishing remains a top cause of breaches (27% in the U.S., 21% in Canada), underscoring why SMBs continue to invest heavily in awareness, behavior change, and simulation‑based resilience.
“Confidence is growing, but the reality is that most breaches still come from preventable issues like phishing, weak passwords, and monitoring gaps,” said Anscombe. “If cyberattacks are the new normal, then getting the fundamentals right matters more than ever.”
ESET’s 2026 SMB Cyber Readiness Index surveyed 700 cybersecurity decision‑makers across the United States and Canada in industries such as manufacturing, construction, healthcare, retail, telecommunications, transportation, and more. This included 500 respondents from the United States and 200 from Canada with 25 to 1,000 endpoints. Notably, 67% of U.S. respondents and 51% of Canadian respondents were their company’s primary decision-makers for cybersecurity.
