ESET's 2026 SMB Index: 45% Hit by Attacks, AI Malware Now the Top Fear
ESET's SMB Cyber Readiness Index 2026 reveals 45% of small and mid-sized businesses suffered a cyberattack in the past 12 months. AI-powered malware has overtaken all other threats as the top concern, even as overall confidence in cyber resilience improves.

Small business employee facing a cybersecurity alert on a laptop screen, representing the growing threat of AI-powered cyberattacks on SMBs in 2026
ESET, the global cybersecurity vendor, has released its SMB Cyber Readiness Index 2026, drawing on a survey of 4,400 decision-makers across organisations with between 25 and 1,000 endpoints in 13 countries spanning North America, Europe, and Asia. Distributed through Dubai-based communications firm Vistar Communications, the findings paint a picture of a segment growing more confident in its defences whilst simultaneously confronting a threat landscape that is evolving faster than many had anticipated.
The headline figure is stark. Nearly half of all SMBs surveyed, 45%, reported experiencing at least one cybersecurity incident in the previous 12 months. Of those, 14% experienced more than one. For a segment that has historically underestimated its attractiveness to threat actors, the data confirms that organisational size is no longer a meaningful deterrent.
AI-powered malware takes the top spot
Among the threat categories assessed, AI-powered malware emerged as the single greatest concern for SMB security teams, despite remaining relatively rare in practice. The finding reflects growing awareness among practitioners that the barrier to deploying sophisticated, automated attacks is falling as AI tooling becomes more accessible to threat actors.
Supply chain attacks and the risks posed by shadow AI tools were identified as areas where SMBs continue to underestimate their exposure. This is a gap that security leaders across the MENA region will recognise from their own enterprise environments. The index also found that 75% of respondents consider cyberwarfare and global conflicts to be real threats capable of affecting their business operations, a finding with direct relevance for SMBs operating across the Gulf, where the geopolitical threat environment has intensified significantly.
Confidence is rising, but gaps remain
The index highlights several trends that represent genuine progress. Sixty-eight per cent of SMBs report confidence in their ability to prevent attacks, and 75% express trust in their cyber resilience when responding to incidents. Only 11% of respondents now operate with minimal cybersecurity protection, a figure that has declined from prior survey cycles.
Employee security awareness also appears to be maturing. Eighty-seven per cent view staff education as very important or critical to cyber resilience, with 67% conducting training more than once per year. Just 6% rely solely on basic awareness programmes, and a concerning 2% provide no cybersecurity training whatsoever.
Budget satisfaction has also improved. Sixty-five per cent of SMBs report satisfaction with their cybersecurity budgets, with an additional 15% describing themselves as more than satisfied. Insurance and compliance requirements are increasingly cited as drivers of stronger security practices, suggesting that external pressure is producing measurable improvements in posture across the segment.
Incident response timelines are also tightening. More than one third of SMBs investigated cyber incidents within two weeks, a meaningful shift from the delayed response patterns that characterised the segment in earlier survey cycles.
What this means for GCC and MENA SMBs
The GCC SMB sector is expanding rapidly as governments across Dubai and the broader Gulf pursue economic diversification and private sector growth agendas. As more SMBs integrate cloud services, digital payment platforms, and enterprise software, the attack surface available to threat actors grows alongside them.
The pattern identified in the global data, where confidence is improving but awareness of sophisticated threats such as AI-powered malware and supply chain attacks lags, is likely to be more pronounced in markets where cybersecurity maturity is still developing. The GCC's evolving regulatory frameworks, including the UAE National Cybersecurity Strategy and SAMA's Cybersecurity Framework in Saudi Arabia, are pushing organisations to formalise their security postures, but that pressure has historically been slower to reach smaller businesses.
The supply chain risk dimension is particularly pertinent. As illustrated by the Trellix source code breach earlier this year, even SMBs with no direct exposure to a compromised vendor can face indirect risk through shared technology ecosystems. For SMBs across the region, the ESET findings provide a useful benchmark against which to assess their own readiness and identify the specific areas where investment will have the greatest impact.
Omar Al-Hakeem
Senior Cyber Threat Analyst | MENA RegionOmar Al-Hakeem is a cybersecurity researcher specializing in threat intelligence, ransomware trends, and nation-state activity across the Middle East and North Africa. With over 12 years of experience in SOC operations and incident response, he provides deep technical breakdowns of emerging attacks and regional cyber risks. At MENA Cyber Wire, Omar focuses on real-world threat analysis and actionable defense strategies for enterprises and startups.