What Are the Biggest Cyber Threats to Small Businesses in 2026?

Cyber SecurityIT SecurityIT Support
Written By James Kimbley

The biggest cyber threat to small businesses in 2026 is no longer a virus. It is a convincing human conversation. Attackers now phone, message, and email their way into businesses by tricking a team member into handing over access. They rarely break through any technical wall at all.

This shift has a name in the security world: social engineering. And the numbers behind it should worry every business owner. According to the CrowdStrike 2026 Global Threat Report, 82% of attacks in 2025 involved no malware. Attackers simply logged in using access a real person had been tricked into providing.

Why do attackers target small businesses now?

‍Attackers target small businesses because the payoff is high and the defences are usually thin. A founder running a 15-person company rarely has a security team. They hold the same data, banking access, and customer records as a large firm, but far fewer people are watching the door.

There is a hard truth underneath this. An attacker only has to get lucky once. You have to get it right every single time. One team member clicking on a bad link can be enough, and attackers know the odds favour them over a long enough period.

The CrowdStrike report puts a clock on this. In 2025, the average time for an attacker to move from their first foothold to spreading across a business dropped to 29 minutes. The fastest recorded case took 27 seconds. In one attack, data began leaving the business within 4 minutes of the attacker gaining access.

What does a modern attack on a small business actually look like?

A modern attack usually starts with a phone call or a message, not a dodgy download. The attacker pretends to be someone you trust, builds a little rapport, then asks for something that seems reasonable in the moment. By the time anyone questions it, the damage is done.

The CrowdStrike report tracked a group it calls CHATTY SPIDER that mostly targets law firms. Their method is simple and effective. They phone a team member, talk them into installing a remote access tool, and then start copying files out. In the case CrowdStrike documented, the attacker attempted to steal data within four minutes of gaining that first bit of access.

Another group, SCATTERED SPIDER, barely bothers with technical tricks at all. They call the IT help desk, pretend to be a locked-out team member, and talk the support agent into resetting their password. Once they are in, they move fast. This is voice phishing, often shortened to "vishing", and it works because humans want to be helpful.

What are the main social engineering threats to watch for?

The main threats fall into a few clear categories, and most arrive through email, phone, or text. Knowing the shape of each one makes it far easier to spot the moment something feels off. Here is how the most common tactics compare,

The thread running through all of these is trust. The attacker is not defeating your technology. They are borrowing the trust your team members place in a familiar name, a phone call, or a login screen that looks exactly right.

Social Engineering Threats Comparison Table
Common social engineering attacks
Threat How it reaches you What the attacker wants The tell
Email phishing A fake email posing as a supplier, bank, or colleague You to click a link and enter your login details Slight wrongness in the address, urgency, odd requests
Voice phishing (vishing) A phone call from a "colleague", "supplier", or "IT support" You to reset a password or install software Pressure to act now, reluctance to be verified
Help desk impersonation A call to your IT support pretending to be a team member A password reset that hands over an account A request that skips your normal identity checks
Payment redirection An email asking to change bank details for an invoice Your money sent to the wrong account A last-minute change to payment details

How can a small business protect itself from these attacks?

You can dramatically reduce your risk with a handful of practical changes, and none of them requires a technical background. You will never make your business impossible to attack. What you can do is make it hard enough that attackers move on, and limit the damage if one ever gets through.

Here are five things you can do right now.

  1. Turn on proper Two Step Verification everywhere. A stolen password is far less useful when a second check stands in the way. Not all methods are equal, though, and a text message code is one of the weaker options. We ranked every type of Two Step Verification from worst to best so you can pick the strongest one your team will actually use.

  2. Agree on a codeword for money and access requests. If someone calls or emails asking to move money or change bank details, your team should verify it through a separate, trusted channel first. A simple spoken codeword stops both voice fraud and fake invoice emails cold. We explain how to set one up in our guide to verifying financial requests with a codeword.

  3. Give your IT help desk a strict identity check. Attackers love a help desk that resets passwords on request. Insist that anyone requesting a reset prove who they are first, every single time, with no exceptions for people in a hurry.

  4. Teach your team to slow down. Almost every social engineering attack relies on urgency. A team member who feels safe pausing to double-check a strange request is your single best defence. Make it clear that checking is encouraged, never a nuisance.

  5. Keep a tested backup you can actually restore from. If the worst happens, a clean backup is the difference between a bad afternoon and a closed business. Make sure someone has tested that you can genuinely retrieve your data, rather than just confirming a backup exists somewhere.

Why is partnering with an IT provider the strongest defence?

Partnering with an IT provider is the strongest defence because attackers exploit gaps a busy founder cannot monitor. You are running a business. You cannot also be on guard for a 27-second attack at 2am on a Sunday. A good provider can.

This is the honest reason businesses partner with Kimbley IT, a UK managed IT services provider. We work from the assumption that one day, one of our clients will face a serious attack. It is inevitable, given enough time. Our job is to ensure that, on that day, the damage is minimal and the recovery is swift.

We do that with a technology setup we have built, standardised, and hardened over decades of running real businesses through real threats. So far, no attack against it has succeeded. That is not luck. We chose secure tools, configured them properly, and watch them constantly. A founder doing their own IT simply has no time for that work.

It comes down to knowledge and attention. A business owner handling their own security only has to slip up once. We are watching all the time, across every account, so a single mistake does not become a disaster. If you want to understand the broader benefits, we wrote a separate guide on why partnering with the right IT support transforms your business.

Frequently asked questions

  • Social engineering is when an attacker tricks a person into giving them access, instead of hacking through technology. They might pose as a colleague, supplier, or IT support over the phone or email. It works by borrowing the trust people naturally place in familiar names and routines.

  • Small businesses are very much at risk. They hold sensitive data and banking access but rarely have a security team watching for threats. Attackers see them as easier targets than large firms, where defences are usually stronger and more closely monitored.

  • Two Step Verification stops a large share of attacks because a stolen password alone is no longer enough to get in. It is not perfect, and weaker methods like text message codes can be bypassed. Stronger options like passkeys and security keys give far better protection for your accounts.

  • Very quickly. The CrowdStrike 2026 Global Threat Report found the average attacker moved across a business in 29 minutes, with the fastest case taking 27 seconds. In one attack, data began leaving the business within four minutes. Fast detection and response matter more than ever.

  • Turn on the strongest Two Step Verification your team will use, then agree a codeword for any request involving money or account access. These two steps block the most common attacks. After that, a tested backup and an IT partner watching your accounts give you proper resilience.

Ready to take the pressure off?

‍You should not have to lie awake worrying whether a single email could take your business down. If you want help putting these protections in place, the next step is to book a video call with Kimbley IT using the form below. We will show you exactly how we keep our clients secure and ready for whatever comes.

James Kimbley

<strong>Founder, Entrepreneur & Investor at Kimbley IT Limited</strong>

<br><br>

My team organises your business IT with Google Workspace, AI, Cyber Security & Support in One Package, trusted by 65+ UK businesses. Kimbley IT is a Google Cloud Partner, and Google Workspace is at the heart of everything we do. We recommend it because we've spent nearly 20 years helping UK businesses get the most from it and not because anyone asked us to.

<br><br>

Connect with me:

<a href="https://www.linkedin.com/in/jameskimbley/">LinkedIn</a> •

<a href="https://www.threads.com/@james.kimbley">Threads</a> •

<a href="https://www.kimbley.com/blog?author=50c5e9d6e4b033df8f3030ec">View All Posts</a>

www.kimbley.com
Next

How Are Attackers Using AI Against Small Businesses in 2026?