ESET has published its SME Cyber Readiness Index 2026, based on a survey of 4,400 decision-makers from small and medium-sized businesses (SMBs) across North America, Europe, and Asia. The report examines current cybersecurity practices, perceptions, and preparedness across these organisations.
The index highlights the evolving role of Artificial Intelligence (AI) in cybersecurity, noting that it is contributing both to new types of threats and to defensive capabilities. One example discussed is AI-powered malware, which is identified as an emerging threat, though it is still reported as relatively uncommon at present.
According to the findings, 45% of SMBs experienced at least one cybersecurity incident in the past year, with 14% reporting more than one incident. 61% of respondents said they have serious concerns about cyberattacks, while 75% consider cyberwarfare and broader geopolitical conflicts to be a relevant risk to their operations.
In terms of resilience and preparedness, 68% of SMBs reported confidence in their cybersecurity measures, and 75% said they trust their ability to respond effectively to incidents. Additionally, 65% indicated satisfaction with their current cybersecurity budgets, while 15% reported being highly satisfied.
The report also emphasises the role of education and training. 87% of respondents recognise employee education as important for resilience, and 67% conduct cybersecurity training more than once a year. At the same time, 6% rely only on basic awareness training, and 2% report not providing formal training.
Other findings include that 68% of SMBs believe they can prevent attacks, and more than one third review or investigate cyber incidents within two weeks.
Despite these measures, the report notes ongoing concerns, including limited attention among some SMBs to risks such as supply chain attacks and threats linked to AI-enabled tools, including shadow AI use.
Overall, the survey suggests gradual improvements in cybersecurity readiness, influenced in part by insurance and compliance requirements, alongside a growing recognition that organisations of all sizes can be potential targets.
