Small and medium-sized businesses (SMBs) in North America said they are more confident than ever in their cyber resilience, even as attacks remain widespread and are still largely driven by basic, preventable issues, according to ESET's 2026 SMB Cyber Readiness Index - North America edition.
The research, based on 700 cybersecurity decision-makers at organizations with 25 to 1,000 endpoints in the US and Canada, found 87% of US and 83% of Canadian SMBs feel at least "slightly" confident in their cyber resilience. Confidence is even higher among firms that have already been hit more than once in the past year, rising to 91% in the US and 88% in Canada for SMBs reporting multiple incidents. Meanwhile, aound half of respondents (47% in the US and 52% in Canada) do not expect any change in their cybersecurity budget this year.
“SMBs in the US and Canada are entering a new phase of cybersecurity where attacks are becoming the new norm and an expected part of business operations,” said Tony Anscombe, chief security evangelist at ESET. “We’ve seen significant shifts in how SMBs perceive today’s risks and how they prepare for them, relying more on cyber insurers to provide cybersecurity services and as a core part of their resilience strategy. While SMBs are worried about headline catching AI‑driven threats, most breaches are still a result of social engineering coupled with human error – including phishing, credential compromise and third party/supply chain risk.”
One of the report’s clearest findings was a mismatch between what SMBs say they fear and what is actually causing most incidents.
In both countries, AI-powered malware tops the worry list – 32% of US and 34% of Canadian SMBs name it as their primary concern for the year ahead. But the incident data suggest more traditional gaps are still doing the damage.
In the US, the leading causes of cyber incidents are phishing (27%), lack of security monitoring (27%) and unpatched vulnerabilities (25%). In Canada, incidents are most often linked to phishing (21%), weak passwords (20%) and insufficient security monitoring (20%).
Supply chain compromise sits much lower on SMBs’ worry list, ranking eighth (17%) among US respondents and 10th (16%) in Canada. At the same time, 82% of SMBs across both countries agree that cyber warfare and global conflict pose a real threat to their business, underlining how closely they now associate geopolitical risk with cyber risk.
ESET’s index also showed cyber insurance playing a bigger role in shaping SMB security behavior.
In the US, 86% of SMBs now carry cyber insurance; while in Canada, 78% do. Experience with incidents appears to be a key driver. Among firms that suffered multiple incidents, 95% in the US and 92% in Canada have coverage, compared with 77% and 68%, respectively, among those that reported no incidents.
Insurers are not just transferring risk, however, they are actively influencing controls. Fifty‑five percent (55%) of insured US SMBs and 41% of insured Canadian SMBs said they are required to implement specific measures as a condition of coverage. Many of those requirements involve continuous monitoring or MDR-style services.
Outsourcing remains a minority strategy overall, but it is evolving. Across all respondents, 16% of US and 19% of Canadian SMBs outsource some or all cybersecurity functions. Among US firms that outsource, 35% now use a cyber insurer offering MDR, 21% use a standalone MDR vendor, 17% rely on an MSP/MSSP with MDR and 27% still use a traditional MSP. In Canada, 27% of outsourcing SMBs use a cyber insurer with MDR, 8% use an MDR vendor, 27% work with an MSP/MSSP with MDR and 38% rely on a traditional MSP.
Anscombe warned that this insurer-led managed services model could introduce new systemic risks.
“In cybersecurity, diversity is necessary to achieve a resilient ecosystem. While it’s heartening to see SMBs adopt cyber risk insurance, there needs to be greater awareness of potential monoculture issues as North American cyber insurers that provide managed services typically offer a limited choice of services and products. In fact, 72% and 66% of US and Canadian businesses respectively are concerned with the implications of single vendor ecosystems (i.e. security monocultures)," he said.
Despite the higher confidence levels, cyberattacks remain commonplace, reinforcing the idea that incidents are now treated as an expected business cost rather than an outlier.
In the US, 54% of SMBs experienced at least one incident in the past 12 months, with 22% reporting multiple breaches. In Canada, 46% reported at least one incident and 12% were hit more than once.
Meanwhile, organizations that have been attacked repeatedly are also the most confident. In the US, 52% of firms with multiple incidents, and 42% of their Canadian peers, describe themselves as “very confident,” compared with companies that have experienced one or no incidents. They also tend to report stronger funding: among US SMBs with multiple incidents, 45% said their cybersecurity budget is “more than sufficient” and expect further increases, while 25% of Canadian firms in this group said the same.
Even as AI tools and managed services attract attention, SMBs continue to put most emphasis on people.
Across both the US and Canada, cyber awareness training is the top investment priority for the year ahead. More than 90% of SMBs said training is “critical” or “very important,” and 42% of US and 43% of Canadian respondents plan to increase spending on training over the next 12 months.
Nearly half of SMBs now go beyond basic awareness sessions. In the US, 44% of organizations and 47% in Canada use structured programs that include phishing simulations, a shift likely driven by concern over AI‑enhanced phishing and deepfake-enabled impersonation.
That focus on the “human layer” aligns closely with the incident data: phishing remains a leading cause of breaches (27% in the US, 21% in Canada), reinforcing why many SMBs are investing in awareness, behavior change and simulation-based resilience.
“Confidence is growing, but the reality is that most breaches still come from preventable issues like phishing, weak passwords, and monitoring gaps,” said Anscombe. “If cyberattacks are the new normal, then getting the fundamentals right matters more than ever.”
