Small to medium sized businesses (SMBs) have traditionally outsourced security to managed service providers (MSPs). However, some may be considering a change. Tighter budgets, a desire for more control over security, or even company growth, may have some considering taking security into their own hands.

MSPs can be a vital asset for SMBs that lack the resources and expertise to make sure they are secure. Outsourcing means that someone else is carrying the burden—but doing it in their own way. If an SMB wants to have greater control over their security, it’s not simple or straightforward, but neither is it impossible.

What SMBs should consider, if they take this course, is get the essentials right first. It’s easy to get distracted or even overwhelmed by the constant news around emerging threats. SMBs must block out the noise and zero in on the essential protections that address the attacks they’re likely to face.

The Real Threats Facing SMBs

Eye catching buzzwords like "quantum malware" and "AI deepfakes" dominate headlines because they’re novel and fascinating to learn about. These headlines only serve to distract from the real risks most SMBs regularly face. Research into the threats faced by SMB landscape proves that the actual culprits are much more familiar.

• Ransomware: 88% of confirmed SMB breaches in 2024/25 involved ransomware or data extortion. It remains the single most disruptive and costly threat.
• Business Email Compromise: Business Email Compromise remains one of the costliest enterprise scams, often executed via phishing and MFA bypass kits like Tycoon 2FA.
• Credential Theft & MFA Fatigue: Over 60% of web app breaches stemmed from stolen or reused credentials.
• Unpatched Systems & Exposed Services: Attackers commonly exploit known vulnerabilities in outdated software and misconfigured remote access portals.
• Social Engineering: Phishing, impersonation, and pretexting attacks are a trusty staple in a hacker’s tool kit and a popular tactic.

These aren’t cutting-edge cyber weapons, but the same techniques hackers have been using for years, perhaps with a few upgrades. Simple techniques persist because basic protections are often missing, misconfigured, or poorly enforced.

Focus on the Cyber Essentials

The good news for SMBs is that defending against these attacks doesn’t require  the budget of a global conglomerate. It starts with getting the basics right.  

• Identity & Access Management: Most breaches begin with compromised credentials: 88% of basic web application breaches involved stolen credentials, and according to Microsoft,  99.9% of compromised accounts did not have MFA, leaving them more vulnerable. The best approach is move beyond passwords, to passkeys or FIDO2 tokens. But if this isn’t an option enforcing phishing-resistant MFA everywhere can prevent attacks.
•  
• Email & Phishing Protection: Email remains a top vector for attacks. Improve email defence by enforcing authentication protocols such as SPF, DKIM, and DMARC, which can be used to block spoofed domains. Alternatively, think about using a secure email gateway or filters that make use of AI anomaly detection.
• Cyber awareness: Cybersecurity awareness training is also a good option, but its effectiveness is depends on how well security is integrated into an organisation’s culture. A company that doesn’t make security a core part of day-to-day business will see this attitude trickle down to the whole business, and no training can fix this.
• Ransomware Defence: Preventing and recovering from ransomware doesn’t come from a single solution, but requires a layered protection approach. This is made up of:
• Endpoint detection and response (EDR) across devices
• Regularly scheduled and tested backups that make recovery possible without ransom payments
• Updating critical patches
• Restricting remote access and monitoring for suspicious behaviour
• Adopt a Framework: The UK’s Cyber Essentials certification offers a practical, affordable baseline, and the NIST Cybersecurity Framework is an alternative. These frameworks help prioritise activity and give credibility to a business effort, especially if selling to larger enterprises or regulated sectors.

The Threat is Real

If an SMB decides to take security in-house, this move needs to minimise risks. It’s easy to assume that hackers are chasing big game, and smaller businesses are safe, but this is not the case—SMBs are increasingly seen as “good” targets.

N-able’s threat team observed a dramatic rise in detected threats across SMBs, from approximately 48,749 in June 2024 to over 13.3 million by June 2025, as they increasingly invest in the proper security tools to monitor their environments and mitigate risk.

The industrialisation of cybercrime means SMBs can no longer afford to be passive participants in their own defence. Outsourcing to an MSP may still make sense for many but for those ready to go in-house, the transition is entirely possible—but needs the right focus.

An approach to consider is building a solid foundation centred around MFA, access control, backups, and employee awareness. Once this is in place, it’s a case of maintenance and adjustment, and potentially adding tools based on emerging threats that pose a real danger, rather than those that make the headlines.

Kevin O'Connor Director of Threat Research N-able

Kevin O'Connor is a cybersecurity pro with over 15 years of experience defending networks, reverse engineering malware, and chasing advanced threats around the world. From serving as a Branch Technical Director at the National Security Agency, to APT Intelligence at Crowdstrike, and scaling Threat Research and IR Operations at Adlumin, Kevin has worked across intelligence, private sector, and startup environments. He has a passion for turning complexity into clarity, he speaks on cyber threats, resilience, and how security teams can outpace evolving attacks.