In 2024 alone, 76 percent of U.S. businesses self-reported a cybersecurity breach or potential breach to authorities, according to Apricorn’s 2025 annual survey of U.S.-based IT security decision-makers.
And it wasn’t just large businesses in the crosshairs — VikingCloud’s 2025 SMB Threat Landscape Report found that one in three small and medium-sized businesses (SMBs) were hit by a successful cyberattack in the past year.
SMBs are an ideal target for cybercriminals; they have access to valuable data and operations but typically lack the extensive security infrastructure of large enterprises.
So what can SMB leaders do to better prepare for the latest cybersecurity challenges? The first step is awareness: understanding the latest threats at your doorstep.
AI-powered Social Engineering
Social engineering is the manipulation of a person’s trust to trick them into sharing sensitive information, authorizing financial transactions, or compromising enterprise security. These attacks usually use AI-generated phishing and deepfake impersonations to gain their target’s trust.
But AI-based attacks aren’t limited to email or videos. Phishing links can be delivered via browser push notifications, SMS, and even phone calls. This makes traditional, rule-based security protocols used by mid-market businesses redundant. To protect themselves, SMBs should regularly monitor for every possible threat scenario.
Quantum Computing Threat Horizon
Today’s encryption algorithms rely on tough mathematical problems that even supercomputers need years to solve. However, Gartner predicts that quantum computing will make existing encryption methods fully breakable by 2034. In other words, the foundational security that protects everything — from online banking to emails, e-commerce, and blockchain — will become obsolete overnight.
SMBs should track these developments and start budgeting now to upgrade their cryptographic infrastructure standards in the coming years. If you’re using third-party services or software, make sure they’re taking steps to implement quantum security as well.
Third-party Security Risks
Last year’s HLB Cybersecurity Report found that 37% of organizations experienced a cybersecurity breach through a third-party vendor. Hackers target smaller vendors because they have limited security infrastructure, making it easier to exploit them.
Once they’re in, hackers can expand their attack to cripple hundreds of businesses associated or linked to the vendor with the intention of reaching their actual target.
That’s what happened with Progress Software’s MOVEit file transfer app. Attackers exploited a vulnerability in the app to hit one customer, PBI Research Services, which then gave them access to over 2,700 organizations, affecting 93.3 million individual records in the process.
Free Resource: For tips and insights on setting up and sustaining a vendor management program with an integrated security review process, click here.
Operational Technology Security Challenges
Unlike information technology (IT), operational technology (OT) refers to software systems that manage operational processes like manufacturing, energy, supply chain, and transportation.
Traditionally, OT systems operated in isolation. Today, however, businesses are connecting OT systems to their corporate network to enable real-time remote monitoring, data analytics, and resource allocation. This convergence makes operations efficient, but it also makes them susceptible to cybersecurity threats.
In 2024, Russian ransomware group ALPHV BlackCat infiltrated Change Healthcare’s systems, compromising operations for hospitals across the U.S. and impacting patient care, revenue, and finances. It took almost three months for affected hospitals to resume normal operations.
How to Adapt Your Strategy to the New Threat Landscape
1. Prioritize Cybersecurity Investment
Most mid-market businesses have limited budgets, so ensure you’re investing in areas that hackers typically target. Since most attacks try to steal access to credentials, create a strong authentication system using methods like multi-factor authentication or password-less access. You can also use a third-party service to monitor your vendors for cyber incidents or data leaks.
To address the ever-evolving threat landscape, businesses should build a strong cybersecurity foundation that reframes cybersecurity protection and prevention as a core operational issue rather than just an IT responsibility.
Free Resource: Click here to learn how to build a stronger cybersecurity foundation.
2. Assess & Test Your Vulnerabilities
Many breaches come down to fundamental failures like weak passwords, outdated systems, or misconfigured servers. Addressing these shortcomings can significantly reduce cyber incidents. Regular patch management, vulnerability scanning, and network segmentation, as well as regular cybersecurity audits can uncover and fix hidden vulnerabilities. But testing is just as important.
Failing to test your organization’s cybersecurity controls is like having a security system installed in your house … then leaving home without checking your locks. It’s an apt analogy that underscores a critical truth about IT resilience: Trust in your systems is good, but verification is essential.
The importance of testing and assessing cybersecurity controls cannot be overstated. For organizations of all sizes — especially those heavily reliant on digital infrastructure — these controls are often the last line of defense against increasingly sophisticated cyber threats.
Yet, despite the effort spent creating policies, deploying systems, and drafting recovery plans, organizations often neglect to validate whether those solutions perform as expected. Regular testing of cybersecurity controls is crucial because it will help you:
- Identify Vulnerabilities Before Hackers Do.
- Ensure Systems Work as Intended.
- Adapt to Evolving Threats.
- Strengthen Incident Response Readiness.
- Maintain Compliance.
Free Resource: Understand the difference between vulnerability assessments and penetration tests — plus best practices — here.
3. Build a Stronger Security Culture
It’s nearly impossible to prevent every cyberattack, and everyone — from your summer interns to your CEO — is susceptible. However, some employees may hesitate to report an incident, fearing repercussions for their actions. You can create a more cybersecurity-friendly environment by organizing continuous cybersecurity training. Doing so educates employees on the latest threats while normalizing conversations about cybersecurity.
Free Resource: Join — or share with your employees — a cybersecurity masterclass that shows viewers how to anticipate, withstand, respond to, and recover from modern cyber challenges.
Unsure if your organization’s cybersecurity protections are keeping up with the latest cybersecurity challenges? Reach out to Rehmann Technology Solutions team for a free consultation.
This article was created in collaboration with HLB International, a global network of independent advisory and accounting firms. As a member of HLB, Rehmann enables its clients to enjoy access not only to 1,000+ Rehmann associates across nearly two dozen offices in the United States but also more than 40,000 tax and advisory professionals operating in 150+ countries.