64pc of EMEA organizations expect an attack in the next year, while 44pc have already experienced an incident in the last 12 months.
According to a new study by ESET on the SMB Cyber Readiness Index 2026, “businesses are losing sleep over a high-tech threat that has never been seen in a real attack”, in an environment where “daily scams” continue and cost money.
ESET, a Slovakia-based global cybersecurity company, partnered with Esomar member Go4insight to collect data from 4,400 organizations with 25 to 1,000 endpoints in 13 countries.
This includes Canada, the Czech Republic, Denmark, France, Germany, Italy, Japan, the Netherlands, Slovakia, Spain, Sweden, the UK and the US. Contributors were the main decision makers, or the main influencers, in the organization’s cyber security decisions.
The research found that 64pc of participating organizations spread across Europe, the Middle East and Africa expect an attack in the next year, while 44pc have already experienced an incident in the last 12 months.
31pc are of the opinion that the single biggest threat is AI-powered malware, despite ESET’s findings that across its managed detection and response (MDR) service, not a single incident involved AI generation “in any meaningful way”. Rather, among the threats that posed the greatest danger, was phishing (27pc), unpublished software (23pc), lack of security precautions (20pc) and weak passwords (20pc).
Commenting on the report, Michal Jankech, business vice president, SMB and MSP at ESET, said: “While 78pc of SMBs recognize the importance of cybersecurity strategies, a consistent understanding of key threats, technologies and terminology, including MDR and security posture, suggests there is still room for any improvement.
“We found that SMBs’ concerns are often shaped by emerging alarming headlines such as AI-driven attacks, while more common risks, such as phishing, unpublished risks and a lack of vigilance, are underestimated. This indicates that many respondents do not fully understand their security posture and resilience.”
Invest in security
The ESET survey also highlighted the need and desire for significant training among participating EMEA organizations.
87pc explained that they believe training is very important or important and 51pc train several times a year, while 12pc train every month. Only 43pc, however, were found to be using standard training programs such as phishing simulations.
Currently, 83pc watch them cybersecurity budget as enough or more than enough and 39pc expect a budget increase next year.
For future investment in their organisation, 40pc plan to be more involved in training and awareness of staff, 33pc have a future cloud security strategy and one quarter intend to invest in backup and support. The main barriers are currently budget constraints (26pc), complexity and integration challenges (20pc), and talent and skills shortages (18pc).
“As it stands, meeting the challenges of cybersecurity in 2026 means understanding the intersection of your business needs, human behavior, the democratization of powerful technologies like AI, regulatory priorities, and the ever-changing threat landscape — that’s a lot,” Jankech said. “Therefore, to deal with all these things, there is only one option – resilience, starting with planning your preparedness.”
Although organizations based in Ireland were not included in the ESET survey, George Foley – ESET Ireland’s cyber security expert – gave his opinion on what Irish organizations should expect.
“Irish businesses are looking at the Hollywood version of cybercrime while the side door is left open,” he said. “The attack that drains your account isn’t a self-driving AI virus. It’s this dodgy receipt email we’ve been warning about for years, except now it’s complete and there are thousands of them.
“Spend your worries and your budget on the basics. Train your employees to pause before paying, keep your systems connected and stop reusing passwords. That’s what keeps money from going out the door.”
Don’t miss out on the information you need to succeed. Sign up for Daily BriefSilicon Republic’s digest of must-know sci-tech news.
Updated, 5.31pm, 9 June 2026: This article was amended to correct some mathematical errors.
