MSSP, MSP, Endpoint/Device Security, Midmarket, Small business, Cybersecurity insurance, AI benefits/risks, Incident Response

SMBs Under Attack and Unprepared; MSSPs, MSPs Can Help: Survey

More than 40% of SMBs in the United States have been hit with a cyberattack and most executives for smaller businesses believe that their cyber risks will only ramp up in 2026, according to a survey released this week by startup Guardz.

Despite this, 52% of SMBs either rely on an untrained in-house staff member or even the business owners themselves to manage key security functions without support from an MSSP or MSP.

The Miami, Florida-based company’s 2025 SMB Cybersecurity Survey paints a picture of SMBs that are trying to figure out their path forward in a fast-changing and increasingly dangerous cyberthreat environment in which they can be as much of a target of bad actors as their enterprise brethren.

“It’s not a lack of concern, but rather a gap between awareness and execution,” Guardz co-founder and CEO Dor Eisner told MSSP Alert. “Most SMBs clearly understand that cyber risk is increasing. What they struggle with is knowing what ‘good’ security actually looks like today, and how to operationalize it.”

Informal, Internal Approaches

Many small and midsize businesses are still relying on informal and internal approaches, which could mean an employee with some technical skills, relatively limited tools, or reactive fixes, all of which has worked in the past, Dor said. The problem is that the threat landscape is changing dramatically.

“Attacks are continuous, automated, and increasingly sophisticated, while SMB environments are fragmented and resource-constrained,” he said. “Cost plays a role, but another issue is a gap between perceived readiness and actual risk exposure. SMBs often underestimate the complexity of modern security and overestimate their ability to manage it internally. That mismatch is what leads to the outcomes we’re seeing in the data.”

Guardz, which offers a cybersecurity platform for MSPs to protect SMBs, surveyed owners of 800 U.S.-based smaller businesses that had at least 10 employees. The results echo what other vendors have found.

Help Needed

According to Guardz’s numbers, while 43% said they’d been attacked in the past five years, 27% said they were targeted over the past 12 months, and while 64% of those attacked said they’d recovered relatively quickly, 3% endured significant and lasting damage.

There was also data on how unprotected many of these SMBs are. About 58% of them use network firewalls, 52% use email or spam filters, and 41% have endpoint protection tools. In addition, 26% don’t conduct regular security assessments or penetration tests, and 42% are worried about outdated technologies. Healthcare organizations are most concerned about that, according to the survey.

There are other concerns. Only 34% of these smaller businesses have a formal incident response or continuity plan that was developed with the help of a cybersecurity professional, while 80% of those that with such a formal plan were able to avoid major damage during an attack.

Meanwhile, 27% have no cyber insurance, and in 33% of businesses surveyed, the person handling alerts and resolving incidents is the owner. Another 13% rely on untrained employees.

Concerned but Unprepared

The numbers feed into the narrative that many SMBs, while concerned about security, aren’t doing enough to ensure it, and that partnering with an MSP or MSSP could go a long way in helping them.

“What stood out most was how many SMBs are still trying to manage cybersecurity alone, even while acknowledging that risk is increasing,” Dor said. “That disconnect is the real issue. Preparedness makes a measurable difference. SMBs with clear processes and professional support are far more likely to quickly and effectively respond to or avoid serious damage when attacks occur.”

The CEO added that “cybersecurity today isn’t about stopping every threat. It’s about the ability to be proactive, respond quickly, limit impact, and keep the business running. SMBs that recognize that, and partner accordingly, will be far better positioned for what’s ahead.”

SMBs Need Professional Expertise

That said, SMBs are increasingly looking to MSPs not only for deploying security controls but also to interpret risk, guide decisions, and town ownership during incidents, he said, illustrating the shift among MSSPs and MSPs from being merely product providers to being trusted security advisers.

“Once SMBs experience that difference [between having and not having service provider support] firsthand, their perception changes quickly,” Dor said. “MSPs move from vendors to partners. Trust grows when MSPs are proactive, accountable, and embedded in the business. The relationship becomes less about technology and more about shared responsibility for resilience.”

For MSPs and MSSPs, how they talk to SMB owners is important. The owners can understand risks to their business continuity, but only when the risks are talked about in terms of outcomes and consequences. Through this, service providers can demonstrate their real value to the business.

“When the conversation focuses on downtime, recovery time, reputational damage, and operational disruption, it resonates,” Dor said. “Security becomes real when it’s framed in terms of what happens when something goes wrong, not just how threats are blocked. ... Confidence and clarity matter more than technical depth in those early conversations.”

AI is a Key Factor

MSPs and MSSPs can also bring something that many SMBs don’t have: AI expertise. Using AI in security requires such capabilities as integration across the security stack, continuous tuning, signal correlation, and human validation, as well as visibility and transparency into how AI-driven decisions are made.

“Without that, AI can create more noise than protection and erode trust rather than strengthen it,” the CEO said. “For MSPs, AI expertise is becoming essential. AI doesn’t replace people, but rather it enables them to operate at the speed and scale modern threats require. MSPs that understand how to combine AI with expert oversight are best positioned to protect SMBs going forward.”

Jeffrey Burt

Jeffrey Burt has been a journalist for almost 40 years, moving from general-circulation newspapers to IT news sites in 2000. He’s an expert analyst and writer on cybersecurity, data center infrastructure, AI, and a host of other subjects for a range of organizations, including CyberRisk Alliance, eWEEK, Techstrong Group, The Next Platform, and The Register.

You can skip this ad in 5 seconds