For a long time, many small businesses operated with the assumption that they were not big enough targets to worry about. They reasoned that they were not worth the effort.
That assumption made sense when cyberattacks required skilled people, significant time, and a target worth the investment. A law firm with twenty staff or an accounting practice with thirty employees simply was not worth the overhead.
That has changed. And the change has happened faster than most people realise.
What has shifted
Artificial intelligence (AI) has fundamentally altered the economics of cyberattacks. Tasks that previously required hours of skilled human effort — scanning for vulnerabilities, crafting convincing phishing emails, identifying weak points in a network — can now be automated, executed at scale, and completed in minutes.
This is not a distant possibility. It is already happening.
AI-generated phishing emails now achieve open rates of between 54% and 78%, compared to roughly 12% for traditional attacks, according to Microsoft’s 2025 Digital Defence Report. The emails are well-written, contextually appropriate, and difficult to distinguish from legitimate correspondence. Staff who have been trained to spot obvious phishing attempts are now facing something considerably more convincing.
A similar trend has been observed with websites in a Patchstack report. In part, AI advancements resulted in a 42% increase in new vulnerabilities found in the WordPress ecosystem. Attackers are increasingly utilising complex methods, moving from one-off compromises to persistent multi-stage attacks.
More importantly, the cost of running these attacks has dropped to the point where targeting a small business is no longer inefficient. Automated tools do not weigh up whether a target is worth pursuing. They simply scan, identify, and act.
The result is that small and medium businesses now account for the majority of confirmed data breaches globally. This trend is firmly based on the fact that automation has removed the friction that once made them unattractive targets.
The window between vulnerability and attack
There is another shift worth understanding, and it relates to the speed at which known vulnerabilities are exploited.
A few years ago, the average time between a software vulnerability being discovered and an active exploit appearing in the wild was measured in months. That window gave organisations time to patch, update, and address the issue before it became a real risk.
That window has collapsed. The median time from discovery to active exploitation is now measured in hours, not days.
For businesses that patch systems quarterly, or only when something breaks, this represents a meaningful exposure. Unpatched systems are not just a theoretical risk. They are actively exploited.
Where this is likely heading
It is worth offering some perspective here, because the picture is not entirely bleak.
The same AI capabilities that are accelerating attacks are also being used defensively. Security researchers are using AI tools to identify vulnerabilities in widely-used software before attackers can exploit them. Code can now be reviewed and tested more thoroughly than was previously practical. Over time, this should lead to a higher baseline standard of security in the software and systems that businesses rely on.
The honest assessment, however, is that this improvement is a longer-term development. The tools and practices required to realise it are not yet in place at the scale needed, and many businesses, including large ones, are still running systems and software that have not been updated in years.
For most SMEs, the relevant reality is this: the threat environment is more active now than it has ever been, and the foundations that reduce exposure are the same ones that have always mattered. They just matter more urgently.
What actually reduces your exposure
There is a temptation in conversations about cybersecurity to focus on tools. To ask which software to buy, which service to subscribe to, or which product will provide protection. These questions are understandable, but they often miss the point.
Most of the incidents we see in SME environments do not happen because a business lacked a particular tool. They happen because basic practices were not in place, and not applied consistently.
The following are not advanced security measures. They are the foundations. Getting these right does not guarantee that nothing will ever go wrong, but it removes the most common entry points that attackers rely on. More importantly, they remain the first line of defence.
- Patch and update on a real schedule: Operating systems, applications, and network devices need to be kept current. This is not a once-a-year activity. Given how quickly vulnerabilities are now exploited, a regular and structured update process is one of the most effective things a business can do.
- Enable multi-factor authentication, especially on email: Multi-factor authentication, requiring a second confirmation step beyond a password, blocks the overwhelming majority of automated account attacks. Despite this, most small businesses have not enabled it. Email accounts are a primary target because access to email often provides access to everything else.
- Treat backups as a system, not a task: Having a backup is not the same as having a working backup. Ransomware attacks now routinely target backup locations as part of the initial compromise. Backups need to be isolated, tested regularly, and verified. An untested backup that cannot be restored under pressure is not a backup — it is a false sense of security.
- Know what is on your network: Unmanaged devices, forgotten systems, and outdated equipment are common entry points. A basic understanding of what is connected to your network and whether those devices are maintained is more valuable than most businesses realise.
- Help staff recognise what phishing looks like now: Awareness training needs to reflect current attack methods. The phishing emails that staff encounter today look different from what they were trained to spot two or three years ago. Keeping awareness current is a simple but often overlooked step.
A practical way to think about it
Prevention is significantly less expensive than recovery. The cost of maintaining a structured, proactive IT environment is a fraction of what a single incident typically costs in downtime, data loss, recovery effort, and reputational damage.
This is not an argument for spending more than necessary. It is an argument for spending purposefully and consistently on the basics now, rather than racking up a hefty bill for recovery later. It makes business sense to invest consistently in prevention rather than face the unpredictable cost of recovery.
The businesses that come through security incidents with the least damage tend to be the ones that had the fundamentals in place, not necessarily because they anticipated the specific attack, but because consistent maintenance left fewer gaps to exploit.
Where to start
If you are not sure where your business currently stands, a structured review of your IT environment is a useful starting point. A security audit can assist in getting a clear picture of what is in place, what is not, and where the most significant exposures are.
From there, addressing the foundations, particularly patching, authentication, backups, and basic staff awareness, tends to have the most impact for the least complexity.
If you would like to talk through what that looks like for your business, get in touch with the IT Trust team. IT Trust is a managed IT services provider with over two decades of experience supporting SMEs. We help businesses maintain stable, secure IT environments through proactive management and preventative support.

