A new report on cyber resilience and other cybersecurity-related topics among small and medium-sized businesses (SMBs) in North America found that many companies are turning to cyber insurance to protect their operations. The report also provides insights into the most common causes of data breaches, what businesses are primarily worried about, and more.
Most SMBs in North America Rely on Cyber Insurance
Recently, ESET released the company’s 2026 SMB Cyber Readiness Index – North America edition report. The report surveyed 700 cybersecurity decision-makers across a variety of U.S. and Canadian companies and industries to get their thoughts and insights about cyber resilience, incidents and reporting, investments, and various other cybersecurity topics.
One of the most interesting insights from the report is the prevalence of cyber insurance. For those unfamiliar with it, cyber insurance is a product that helps businesses lessen the financial impact of cybercrime activities like data breaches, hacks, ransomware, and others.
In the USA, 86% of SMBs carry cyber insurance, compared to 78% for Canadian SMBs. While a variety of companies can and do carry cyber insurance, businesses that have had one or more cybercrime-related incidents are more likely to have it.
In fact, 95% of U.S. SMBs and 92% of Canadian SMBs that have suffered multiple incidents carry insurance, while only 77% of U.S. SMBS and 68% of Canadian SMBs with no incidents have it.
Also, in addition to protecting companies themselves, cyber insurance is also playing a role in helping businesses shape and improve their security practices.
For example, 55% of insured SMBs in the USA and 41% of Canadian insured SMBs are required to implement specific security controls, often involving continuous monitoring or a Managed Detection and Response (MDR)-style service as a condition of the coverage.
Confidence in Cyber Resilience Remains High
Whether it’s directly tied to many companies having insurance or due to other factors altogether, confidence in cyber resilience among businesses is high. According to the report, 87% of U.S. and 83% of Canadian SMBs said that they feel slightly to very confident that their business is cyber resilient.
This high level of confidence may also be due to the fact that many companies expect and prepare for attacks nowadays, as they’re the new norm in business and not nearly as rare as they once were.
Many Businesses Are Worrying About the Wrong Threats
That being said, these companies are still concerned about cybersecurity-related threats. However, many companies may actually be worrying about the wrong ones. The top concern for SMBs (34% of Canadian SMBs and 32% of American SMBs) over the next year is AI-powered malware.
While this is a valid concern, as AI has certainly accelerated digital fraud and cybercrime in general, AI-powered malware isn’t the leading driver of cyber incidents.
Phishing (27%), lack of security monitoring (27%), and unpatched security vulnerabilities (25%) are the leading drivers in the USA, while phishing (21%), weak passwords (20%), and insufficient security monitoring (20%) lead the way in Canada.
Attacks Are Rising, More Important Than Ever For Companies to be Prepared
Cyber attacks remain incredibly common for businesses across the USA and Canada, and likely aren’t going anywhere soon. As a result, it’s more important than ever for businesses to treat these attacks and attempts as a regular part of business going forward.
In fact, over the last 12 months, 54% of American and 46% of Canadian SMBs report at least one incident. As a result, even with increased awareness and preparation, businesses are still being targeted and successfully compromised.
To deal with this ever-present threat of cyber attacks, SMBs are prioritizing investments in cyber awareness training, along with preventative measures like better security controls or cyber insurance.
Over 90% of SMBs in both the USA and Canada say that training is critical or very important, and nearly half of SMBs go beyond basic training and use structured programs that include phishing simulations.
Even if you haven’t dealt with any threat at your business yet, that day may come, so make sure your business is prepared. Whether this is through better training, stronger policies, monitoring technology, cyber insurance, or some combination of them all, cyber threats aren’t going anywhere, so companies need to ensure they’re ready for them.
