MSSP, MSP, Endpoint/Device Security, IoT, AI benefits/risks, Data Security, Identity, Ransomware, Breach, Security Operations

The Seven Deadly Sins Behind Repeat SMB Breaches

Red and steel open padlock hanging on steel chains over black background. Concept of security and identity theft. 3d rendering

Smaller businesses share many of the same cyber risks as larger enterprises, including the same operational failures that are preventable but repeatedly arise during investigations – what SonicWall calls “The Seven Deadly Sins.”

Like larger organizations, SMBs are often guilty of a number of sins, from assuming a reactive security posture that doesn’t include 24/7 monitoring, the "we're too small to be a target" assumption, or chasing hype over execution by buying the hottest tools but not deploying them completely.

This isn’t an SMB problem. It’s a business problem, and enterprises are just as guilty, according to Michael Crean, senior vice president and general manager of managed security services at SonicWall. However, what makes SMBs uniquely exposed to threats isn’t just what SonicWall calls the sins themselves but the absence of a safety net when those security gaps catch up, Crean told MSSP Alert.

“A large enterprise can absorb a breach,” he said. “They have incident response teams, legal counsel on retainer, cyber insurance with real coverage, communications professionals, and the financial runway to recover. An SMB has none of that. When the same breach hits a small business, there's often one person trying to manage it, no playbook, and a recovery bill that can exceed $4 million when you factor in downtime and lost business. For many of them, that's not a setback. That's the end.”

Not Too Small to Attack

There is also the sin of false confidence, with many SMBs believing that they’re too small for threat actors to target. Crean called the mindset “the most dangerous belief in cybersecurity right now, and it lives primarily in the SMB space.”

Pointing to SonicWall’s 2026 SonicWall Cyber Protect Report, released March 31, he noted that ransomware was present in 88% of SMB breaches last year, compared to only 39% of attacks against large enterprises.

“That's not because SMBs are doing something uniquely wrong,” Crean said. “It's because attackers know that smaller organizations are easier to breach, slower to detect, and less likely to have the defenses that would slow them down.”

The Need for MSSPs and MSPs

This year, SonicWall reframed its annual security report, shifting its focus from threats to protection outcomes for SMBs. The aim is to help SMBs and their MSSPs and MSPs understand what keeps them running and resilient, Crean stated. A key message for SMBs is that cybersecurity is a team sport.

“We deeply believe that partners deliver the best security outcomes,” he wrote. “SMBs should not do it alone. MSPs and MSSPs play a critical role in delivering protection at scale, and this report is designed to equip them with the language and data they need for strategic conversations with decision makers.”

It’s a trend other surveys have noted and something Crean has seen firsthand over more than two decades as CEO of Solutions Granted, a MSSP that SonicWall bought in 2023 as part of its multi-year organizational push to build out its MSSP and MSP offerings, and the first-in-line security vendor for SMBs and midmarket companies.

Bridging the Resource Gap

“The resource gap is real, and it's not going to close on its own,” he said. “Most SMBs have one or two people managing everything from endpoints to cloud accounts to user support and to security. Those people are already stretched. You can't hand them another tool and expect a better outcome.”

That’s where MSSPs and MSPs are critical, and Crean said the opportunity for them is larger than most realize. He added that there’s room for both models.

“Not every MSP needs to become an MSSP,” he said. “What they need to do is partner with one. Think of it like medicine. Not every doctor needs to be a surgeon, but every doctor should know when their patient needs one and have the right relationship to make that referral.”

Attacks More Precise, Relentless

For the report, SonicWall used data from its global network of more than 1 million security sensors. Researchers found that threats are becoming more precise and relentless. For example, high- and medium-severity attacks increased 20.8%, and automated bots generated more than 36,000 vulnerability scans per second, accounting for over half of all internet traffic. Traffic from bad bots accounted for 37% of global internet traffic.

Internet of Things (IoT) attacks rose 11%, identity, cloud, and credential compromise made up 85% of actionable security alerts. Essentially, bad actors are using stolen credentials rather than zero-day vulnerabilities. The threat from attackers’ use of AI and nation-state threat groups targeting SMBs is also growing.

The report also found that four years after its disclosure, the Log4j vulnerability generated 824.9 million IPS hits. The number of IPS hits “tells you everything you need to know about the state of vulnerability management at scale,” Crean said. “It's not a famous cheat code that was published years ago, and everyone forgot about, it's one that's still typed in every single day because the game never patched it out, and it still works every time.”

It’s a race against the clock, and bad actors are winning. The report found 77% of organizations need more than a week to deploy patches across the enterprise, and 14% need more than four weeks. That said, 75% of exploits occur within four days of a proof-of-concept being published, and 61% strike within 48 hours, he said.

The Deadly Sins

SonicWall listed the Seven Daily Sins to put a spotlight on what SMBs, midmarket firms, and partners need to focus on. Along with the false confidence, reactive security posture, and hype over execution, other sins include ignoring fundamentals – like using strong authentication and patching systems – overexposed access, and cost-driven security decisions.

There is also a reliance on legacy access models, including VPNs that authenticate once and grant broad network access. SonicWall found that VPN critical vulnerabilities jumped 82.5%.

“Today, the most common cause of security incidents is not advanced malware or exotic attacks,” Crean wrote. “Security misconfiguration is a rapidly escalating risk ... highlighting how foundational weaknesses are becoming one of the most critical drivers of cyber exposure.”

Jeffrey Burt

Jeffrey Burt has been a journalist for almost 40 years, moving from general-circulation newspapers to IT news sites in 2000. He’s an expert analyst and writer on cybersecurity, data center infrastructure, AI, and a host of other subjects for a range of organizations, including CyberRisk Alliance, eWEEK, Techstrong Group, The Next Platform, and The Register.

You can skip this ad in 5 seconds