Security Posture February 11, 2026 7 min read

The Hard Questions Nobody’s Asking About Your Cybersecurity

Somewhere between 40% and 80% of small businesses experienced a cyberattack last year. The range is that wide because the people funding these studies—software vendors, MSPs, insurance companies—each have something to sell.

What doesn’t vary: small businesses used to fly under the radar. Now they’re the target. And when ransomware hits, the average cost runs around $255,000. For most SMBs, that’s not a bad quarter. That’s a crisis.

Cybersecurity Vendors

Having a cybersecurity service isn’t the same as being protected. It’s like thinking you’re fit because you pay for a gym membership.

You know you have to do something, so your spending on managed security keeps rising year after year. But successful attacks keep rising, too. The disconnect? Security vendors sell impressive numbers—millions of threats blocked, thousands of attacks prevented. But those statistics measure activity, not protection.

Here’s something most vendors won’t share: most of those blocked attacks would have failed anyway, even without their service.

Many attacks are carried out by bot farms that perform drive-by scans and probe for weak points. The latest Node.js exploit is meaningless if you don’t use Node.js. Who cares that your firewall blocked 100,000 Node.js attempts this month? Finding a good security vendor means looking beyond the technology. It means asking fundamental questions about the risks in your business.

Without someone asking, “Where are we actually at risk?”, you may not have the protection you think you do.

The Insurance Illusion

Only 30-50% of U.S. SMBs have cyber insurance. And 28% of those policies are rife with exclusions.

You think you’re covered until you file a claim and discover your policy excludes the exact attack that hit you. I’ve seen it happen. A malware attack hit a company, causing downtime and revenue losses.   Hoping for some relief, they turned to their insurer.   What do they get?   Denial.

The policy excluded actions by third-party vendors. The company outsourced its application development, as many SMBs do, so the insurer denied the claim. They absorbed the full cost of the breach and issued refunds to hundreds of customers.

The quick online policies are the worst offenders: low premiums, long exclusion lists, little actual protection.

Cyber insurance isn’t about having a policy. It’s about knowing what’s covered and whether the limits match real-world costs. Average breach losses run around $120,000. Many SMBs carry $250,000 to $1 million in coverage. Sounds adequate—until you add business interruption, data restoration, and forensic costs.

Then the gap gets real, and it comes out of your pocket.

The Skills Gap Reality

Three out of four small businesses say they can’t manage cybersecurity on their own. And yet three out of four don’t have regular training programs. That’s a lot of companies hoping the problem handles itself.

Many attacks start with email phishing attacks.    Purchasing the latest email security software alone is not sufficient.  Even the best antivirus software can let things slip through.

Just last year, I nearly clicked on a malware link in a phishing email.   I was expecting an urgent document from a vendor – a DocuSign file.  They were to send it that afternoon.   When I saw a DocuSign notice in my inbox, I was thinking, “Great, this is now done.”

The email seemed a bit off.  The document’s name did not match what I expected.

Digging deeper, I noticed the DocuSign link was malicious.   The rest of the email was 100% identical to DocuSign’s real email.   I was one click away from possibly being attacked myself.

This isn’t about making your entire staff security analysts. It’s about awareness.

Can your team spot a phishing email?

The University of Maryland says its systems are attacked 2,244 times a day. Your people are the first line of defense against these attacks.

The skills gap goes beyond employee training.

Even with a cybersecurity vendor and staff training, someone inside your organization needs enough understanding to ask the right questions. Not technical expertise—business sense.

Questions like:

“Show me how our setup would stop what happened to that company down the street.”

“Walk me through what we have in place if our customers’ data is compromised.”

The Supply Chain Blind Spot

Attackers figured out something simple: compromise one software vendor and you hit a thousand customers at once. That’s easier than attacking those thousand businesses individually. Most executives now rank supply chain attacks among their top concerns.

But most SMBs have no idea how secure their vendors are.

You wouldn’t buy a fire extinguisher from a guy selling one out of his trunk. Why accept a software vendor’s services without knowing their security practices?

This hits small companies harder. You may have 20-100 employees, but your HR, payroll, medical benefits, shipping, and invoicing may all be outsourced.  Each vendor is a possible entry point. Most large companies now factor cybersecurity into vendor decisions. As a small business, do you have the expertise and time to do the same without outside help?

Questions Worth Asking:

Of your security services:

When did they last show you evidence that their protections actually work? Not reports of blocked attempts—proof that a real attack would fail. Have they walked you through their response plan using a scenario specific to your business?  Did you engage a vendor to do an audit to find out where the real risks are located – or was it a one-size-fits-all security package?

Of your cybersecurity insurance:

Does your coverage match your actual risks? If you handle customer data, does it cover notification costs? If you rely on cloud services, are outages covered? Has anyone compared your policy limits to current average attack costs? If you sell online services, is lost revenue compensated?  

Of your team:

Do your employees know what to do if they suspect something’s wrong? Not the technical response—the human one. Who do they call? How fast? What if it happens on a weekend?  If they click something they shouldn’t, do you have a culture that promotes disclosure rather than punishment?

Of your vendors:

Which three vendors could shut down your business if they were compromised? Have you asked them about their security practices? Would you know if they had a breach that might affect you?

Of your disaster recovery provider:

If everything is encrypted tomorrow, how long will it take you to be operational again? Tested recently? What if your backup provider is the one that gets compromised?

These aren’t technical questions. They’re about keeping your business running, and technology is involved.

The 2026 Reality Check

How to change things?

Start with an honest assessment. Not just a scan or a test, but a business-focused review.

The challenge is not to understand the technical threat.  The challenge is to understand the business risk.

  • You have to ask the right question.
  • What actually happens if you get hit tomorrow?
  • Who decides how you will respond? How fast can you move?
  • How much downtime can you honestly handle? What data should not leak into the wrong hands?

Look to your partners. Do they know your business well enough to defend what matters?

Look for your weakest links. It’s rarely the technology. It’s the rushed employee who clicks on a dangerous email. The vendor who skips patches. The backup plan nobody’s tested—the insurance policy nobody’s read.

Be realistic.

Do I really have the skillset even to ask these types of questions?

The businesses that get hurt aren’t the ones that spent too little. They’re the ones who assumed someone else was asking the hard questions.

Usually, no one was.