US small and medium-sized businesses (SMBs) face an average annual data breach cost of more than $3 million, comparable to the cost of opening a second store. This comparison highlights the gravity of the risk and the substantial financial burden it imposes. Three urgent threats require immediate attention: hackers targeting vulnerabilities in network devices such as WatchGuard, Fortinet, and Cisco; AI-driven cyberattacks increasing in speed and effectiveness; and ongoing organizational unpreparedness, with human error continuing to expose businesses to risk.

For example, a recent data breach at a small retail business occurred when hackers exploited an outdated network device. Sensitive customer data was compromised within hours, resulting in an estimated $150,000 in revenue loss, a six-week recovery period, and a 10% increase in customer churn. This incident resulted in significant financial loss and reputational damage, underscoring the urgent need for SMBs to address these threats.

Three Threats, Three Fixes: To navigate these challenges, focus on three key priorities with targeted actions.

• Prioritize patching your edge devices immediately: Inventory all network equipment and apply the latest security patches to mitigate potential breaches that could cost over $3 million. Regularly monitor and update these devices to preempt evolving threats. By ensuring your devices are consistently updated, you protect your company’s financial health, maintain customer trust, and support business continuity by avoiding costly interruptions.

• Adopt advanced defenses against AI threats. Invest in machine-learning tools that spot odd behavior in real time, and regularly review your cybersecurity measures.

• Make employee training a priority. Schedule mandatory, ongoing sessions on phishing simulations and password hygiene to reduce incident-related downtime.

1. Critical Device Vulnerabilities Are Under Active Attack

If you use network security hardware from major vendors, verify immediately that your devices are up to date. Attackers are actively exploiting weaknesses in these devices to access networks.

Vendors including WatchGuard (CVE-2025-14733 - remote takeover risk), Fortinet (CVE-2025-59718 - critical data exfiltration and CVE-2025-59719 - remote code execution), SonicWall (CVE-2025-40602 - unauthorized access), and Cisco (CVE-2025-20393 - severe denial of service), have released patches for these severe flaws. These aren’t theoretical risks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added several of these to its Known Exploited Vulnerabilities (KEV) Catalog.

Compromised devices can result in unauthorized access, data breaches, and ransomware attacks. Financial and reputational damage is often difficult for SMBs to overcome.

• Patch Now: Inventory your WatchGuard, Fortinet, SonicWall, or Cisco equipment and apply all security patches and hotfixes immediately.

  • To minimize business disruption, schedule updates during off-hours or use staged rollouts. This approach not only ensures updates are applied without interrupting daily operations but also offers potential savings by reducing costly overtime pay and peak-hour downtime. By planning updates strategically, you can enhance operational efficiency and maintain optimal uptime for business processes.

• Verify Configurations: For Fortinet users, ensure the FortiCloud SSO feature is disabled unless strictly necessary.

• Monitor Weekly: Review the CISA KEV Catalog each week. Take immediate action if your equipment is listed.

• Review Logs: Examine network logs for suspicious activity on these devices. Note that patching no longer addresses previous breaches.

2. The Accelerating Threat of AI-Powered Cyberattacks

Beyond hardware flaws, a new danger is accelerating. Artificial Intelligence is now a tool for cybercriminals, not just business efficiency. Threat actors use AI to create convincing phishing campaigns, clone voices for social engineering, and develop adaptive malware that evades traditional detection.

AI lowers the barrier for sophisticated attacks, making them three times more successful than traditional methods and harder for employees to detect. The "Agentic Code Tipping Point," where AI autonomously plans and executes hacks, is expected in 2025. After 2025, it is projected that the number of automated attacks could increase by up to 60%, making static defenses potentially insufficient.

Your Action Plan:

• Fight AI with AI: Invest in email and endpoint protection that uses machine learning to detect anomalies that rule-based systems miss.

• Update Awareness Training: Educate your team on AI-specific threats, including the potential for fake video calls and voice messages.

• Lock Down Fundamentals: While AI can breach complex systems, strong multi-factor authentication and unique passwords remain effective. Do not overlook these basics.

• Partner Up: If you lack internal resources, engage an MSSP that uses AI-driven security tools for continuous monitoring.

• Update Awareness: Educate your team on AI-specific threats, including the risk of fake video calls and voice messages.

• Strengthen Fundamentals: Implement strong multi-factor authentication and use unique passwords to remain effective against AI-driven attacks. Do not overlook these essential measures.

• Create Partnerships: If you lack internal resources, engage an MSSP with AI-driven security tools for continuous monitoring. Ensure the provider has SMB experience, offers 24/7 monitoring, and strong AI capabilities to address emerging threats.

  • When selecting a partner, consider these key questions:

    • Does the MSSP have a proven track record with companies of your size and industry?

    • Do they offer scalable services that can grow with your business?

    • How transparent are their communication and reporting processes? These criteria will help you make an informed decision.

  3. SMB Unpreparedness and the Human Factor

  Despite frequent headlines, the “human factor” remains the main vulnerability for most businesses. Ninety-five percent of cybersecurity incidents are due to human error, yet only 39% of small companies provide formal training.

  Relying on untrained staff or allowing employees to bypass security policies creates significant risk. Actions such as clicking malicious links or mishandling sensitive data can result in average losses of $200,000 per attack and substantial downtime. Technology alone cannot compensate for a weak security culture.

  Your Action Plan:

• Mandate Training: Implement ongoing training programs. Phishing simulations and password hygiene education should be continuous rather than one-time events.

• Formalize Responses: Work with a professional to develop a business continuity plan. Ensure your team understands their roles during incidents to minimize damage.

• Enforce Policy: Require Multi-Factor Authentication (MFA) for all accounts without exception.

  • To put these strategies into action, take a practical step this week. Schedule a patch audit to address software vulnerabilities. Assign a person or team to lead the Multi-Factor Authentication rollout across all accounts. Book a comprehensive training session for your team by month’s end. Set immediate goals, such as patching at least 80% of devices, implementing MFA for all top-tier accounts, or ensuring every employee completes training by week’s end. Use a simple spreadsheet or checklist to track progress. This approach helps busy IT managers maintain visibility and manage initiatives, supporting both immediate and long-term security.

• Seek Expertise: If hiring a CISO is not feasible, partner with an MSP to address knowledge gaps and maintain compliance.

  • If hiring a CISO is not feasible, partner with CPF Coaching LLC or an MSP or MSSP to address knowledge gaps and maintain compliance. Managed Service Providers (MSPs) typically focus on managing IT infrastructure and user systems, offering services such as network management and help desk support.

  • On the other hand, Managed Security Service Providers (MSSPs) specialize in cybersecurity services, including threat monitoring and incident response. Understanding these distinctions will help you choose the right partner to meet your organization’s specific needs. 

  • When budgeting for these services, consider that costs can vary significantly based on factors such as the size of your business, the range of services required, and the level of expertise needed. Typical MSP pricing ranges from a few hundred to a few thousand dollars per month, while MSSP pricing can be higher due to the specialized nature of the services offered.