Most small and medium businesses are no longer burying their heads in the sand when it comes to cybersecurity. They know they are vulnerable. The good news is that SMBs are willing to invest in security, according to new research from Kaseya. And MSPs clearly see the opportunity, with 74% planning to increase their cybersecurity service offerings over the next year.
Tailoring those offerings to align with SMBs’ evolving needs and spending priorities, however, will be critical to success.
The newly released Kaseya 2026 Cybersecurity Outlook: Trends, Threats, and Readiness report identifies key cybersecurity trends where MSPs can fill a void.
Today’s Threat Landscape – Not “If” But “When”
Reality has set in for SMBs. Almost 70% of businesses surveyed believe they will be victims of a successful phishing attack in the next 12 months, and more than half anticipate a ransomware breach.
The report finds that MSPs are even more realistic. The majority (76%) believe one of their clients will experience a successful phishing attack in the next 12 months. The top threats they anticipate during that period are phishing (74%), business email compromise (66%), and malware (44%). Only 2% of MSPs are confident their clients will avoid a successful attack.
In addition, 37% of businesses reported losing a full day or more to downtime following an incident, and 18% suffered financial losses of $100,000 or more after a security breach.
SMB wallets are opening up to address security needs, though in a measured way, as budgets compete with other IT priorities. In the past year, 44% of businesses increased their security spend, and nearly half (48%) expect to see budget increases over the next 12 months. The majority (68%) are projecting modest growth of 5%–25, with spending concentrated at the lower end.
Where do SMBs plan to invest over the next 12 months? Respondents cite penetration testing (17%), cloud detection and response/SaaS security (17%), dark web monitoring (16%), and BCDR (15%) as top priorities. Notably, 14% of respondents report no plans to add new security solutions in the coming year, however.
6 Gaps MSPs Can Fill
1. Security Awareness Training – Shoring Up the Weakest Link
People remain the biggest weakness when it comes to cybersecurity, and the research identifies poor user practices, inadequate training, and lack of expertise as the culprits.
Phishing remains the most significant cybersecurity threat facing businesses today, with 56% of respondents reporting they’ve been impacted at least once and nearly half (49%) say they were targeted in the past year alone. While 86% of training programs include phishing simulations, one-third of businesses provide training only once a year or less.
Over the next 12 months, survey respondents say human error and social engineering (29%) are their most feared threats, followed by email (27%), the primary delivery method for social engineering attacks.
Opportunity multiplier: MSPs that can deliver engaging, continuous training programs and reinforce a true culture of security will stand apart from competitors.
2. Vulnerability Identification – More Proactive Measure Are Needed
Vulnerability assessments and penetration testing are key defense mechanisms, yet some SMBs are giving them short shrift. While 84% of respondents conduct vulnerability assessments at least annually, and 63% run them quarterly, nearly 30% of businesses are inconsistent or do not conduct assessments at all. And when it comes to pen testing, 76% of businesses conduct them annually, but nearly 1 in 4 remain inconsistent or skip testing entirely.
Opportunity multiplier: Pen testing is a profitable opportunity, with almost half of MSPs reporting margins above 20%. However, a third of MSPs don’t offer the service at all. This is a sizeable untapped market.
3. AI and Automation – Building Trust
SMBs today are using AI for email security (49%), endpoint protection (34%), and threat detection and anomaly identification (32%), according to respondents. And looking ahead, businesses plan to expand AI’s role into improving overall visibility through better threat and vulnerability detection (32%) and automating response or remediation (30%).
However, trust remains a barrier. More than 80% of respondents said that human oversight is required, and only 12% trust AI to act autonomously. Their key concerns are accuracy (29%), which includes the fear of false positives or negatives, followed by data privacy (27%) and cost (19%).
Opportunity multiplier: Implement AI-driven security solutions for predictive and automated defense for clients, while acting as their trusted advisor to ensure data integrity and ROI in their investments.
4. Cybersecurity Frameworks – Lack of Maturity Around Risk
The Kaseya study finds that the most widely adopted frameworks are Zero Trust and ISO 27001 (both 36%), followed closely by NIST (35%). Other frameworks being adopted include MITRE ATT&CK and CIS (both 22%), and CMMC (19%).
However, fewer than half of organizations have embraced any single framework—and many have adopted multiple frameworks simultaneously.
Opportunity multiplier: Guide clients in adopting and operationalizing these models more consistently.
5. Threat Monitoring – Proactivity Is Lagging
Organizations have built a strong foundation of core defenses, including antivirus (76%), firewalls (71%), and email/phishing protection (68%). More advanced measures like network security (61%) and EDR (59%) are also well adopted. However, solutions like Managed SOC, MDR, or SIEM are less well adopted.
According to the report, 44% of organizations maintain an internal SOC and 37% rely on a managed SOC, but about 15% of businesses report having no real-time threat monitoring in place. Another 4% don’t even know how threats are monitored.
Opportunity multiplier: Advise SMBs on implementing layered solutions and establishing continuous monitoring for around-the-clock protection.
6. Incident Response – Plans and Testing Are Needed
SMBs lag in readiness when it comes to responding to a security incident, the research finds. Less than half (40%) of organizations have a formal incident response (IR) plan and test it regularly, and 27% have a plan in place but have never tested it. Worse, 24% have no formal plan at all, and an additional 10% are unsure of their organization’s IR plan.
Opportunity multiplier: Work with clients to formalize, test, and refine incident response processes.
Turning Insight into Action: MSPs at the Center of SMB Cyberdefense
The takeaway from Kaseya’s 2026 Cybersecurity Outlook is clear: SMBs recognize the risks, are increasing their investments, and are looking for trusted partners to help them mature. For MSPs, this means going beyond reactive services to become proactive cybersecurity strategists. Those that align offerings with SMBs’ top priorities will be best positioned to capture the growing demand. The opportunity is wide open, but success will depend on MSPs’ ability to translate insight into action and deliver measurable, layered security that keeps clients protected in an ever-evolving threat landscape.
Methodology: This year’s report draws on insights from more than 700 SMBs and 370 MSPs worldwide. The majority of participants (83%) came from the Americas, with additional representation from EMEA (6%), APAC (3%) and other regions (8%). Most respondents (65%) work at SMBs with more than 100 employees.
RELATED: The Compliance Gold Rush: How MSPs Are Turning Regulation Into Revenue
