2025 was marked by the commercialisation of cyber crime and AI-enhanced attacks, resulting in a record number of phishing attacks globally. While enterprise breaches dominated the headlines, data from Yubico’s 2025 Global State of Authentication Report suggests that the year ahead poses an even greater challenge to the backbone of the economy: small businesses.
According to the report, small businesses are facing a new wave of vulnerability, driven by a lack of resources and dangerous misconceptions about their appeal to attackers.
Key findings regarding the small business threat landscape include:
- The training gap: A staggering 60 percent of entrepreneurs/sole traders and 57 percent of employees at small businesses (1–99 staff) received no cybersecurity training in 2025, leaving them defenceless against AI-driven social engineering
- The MFA lag: Despite the rise in credential theft, 46 percent of entrepreneurs and 39 percent of small business employees report that their company does not use multi-factor authentication (MFA) across all applications
- False security: The primary reason for this lack of protection is complacency; 36 percent of entrepreneurs believe their business simply “doesn’t require” robust authentication measures like MFA
Furthermore, the research highlights a dangerous disconnect in security habits and perceptions based on professional roles:
- Out of touch workplace culture: There is a significant gap in perception; while 44 percent of C-Suite members believe their company has “very good” cybersecurity in place, only 25 percent of entry-level employees agree, suggesting a discrepancy in cyber awareness
- The executive risk: C-Suite executives are frequently the weak link. Data reveals that 11.6 percent of C-Suite members admitted to interacting with a phishing message in the last week alone, compared to just 8.8 percent of entry-level employees
Niall McConachie, regional director (UK & Ireland) at Yubico, comments on the specific risks to small businesses and the necessary resolutions for 2026:
“Small businesses are currently operating under a dangerous misconception: believing they’re too small a target for attackers. In the age of AI-driven cyber crime, automated tools target all employees and businesses the same. Every unsecured entry point is a target, and our data confirms that entrepreneurs are leaving the front door wide open by neglecting basic training and not implementing multi-factor authentication (MFA).
“The disconnect between the C-Suite and the frontline is equally alarming. C-suite executives are privy to the most sensitive information in the business, yet the data shows they are interacting with phishing attempts at a higher rate than entry-level staff. This proves that rank does not equal immunity; in fact, it creates a critical risk where the individuals holding the most valuable data are the most susceptible. When those at the top believe security is ‘very good’ while simultaneously falling for attacks, it fosters a dangerous culture of complacency.
“For 2026, the resolution for small businesses must be the widespread adoption of enterprise-grade security. We need to abandon the idea that robust authentication is ‘too expensive’ or ‘too complex’ for smaller teams. Conversely, it’s too expensive not to protect systems and data. Implementing phishing-resistant MFA, such as device-bound passkeys like hardware security keys, is the only scalable way to level the playing field and immunise small businesses against the industrialised threat landscape they now face.”
