Cybersecurity Resolutions for SMB’s in 2026

Written By Sean Pennington

As we close out 2025, Mid-year estimates and trends show a continued decline in average/median payment sizes (e.g., down to ~$1 million per incident from $2 million in 2024), with no projections indicating a return to $1 billion+ totals. Instead, focus has shifted to rising attack volumes (projected at 11,000+ daily globally) and non-payment extortion tactics.

If you run a medical practice, community bank, school district, retail chain, or hold a government contract, the stakes are even higher—breaches don’t just cost money; they can violate HIPAA, PCI-DSS, CMMC, or FERPA and destroy the trust you’ve spent years building. The good news? You don’t need a Fortune-500 budget or a full-time CISO to move the needle. Here are five practical, high-impact cybersecurity resolutions you can actually keep in 2026.

1. Make Multi-Factor Authentication (MFA) Non-Negotiable Everywhere.

In healthcare, compromised credentials were the primary vector in 85% of successful breaches in 2025, often involving tactics such as password spraying for initial access and brute-force attacks to steal credentials.

Resolution: Enforce MFA on every account that offers it—Microsoft 365, Google Workspace, QuickBooks Online, your EHR/EMR, banking portals, and especially any remote desktop (RDP) or VPN access.

How to do it:

  • Turn on Microsoft or Google’s free “security defaults” (forces MFA).

  • Use an authenticator app (Microsoft Authenticator, Google Authenticator, Authy) instead of SMS when possible.

  • For staff who resist, give them hardware keys (YubiKey) for $25–$50 each—cheaper than one hour of incident response.

2. Kill Bad Password Habits Once and for All

“Password1” and “Welcome2025” are still showing up in breach dumps. Resolution: Move to passwordless wherever possible, and enforce strong passwords everywhere else.

Quick wins for 2026:

  • Switch Microsoft 365 and Google Workspace to passwordless sign-in (Windows Hello, passkeys, or authenticator push).

  • Require at least 12 characters and block the 500 most common passwords (most cloud providers do this automatically now).

  • Use a business-grade password manager (Bitwarden Teams, 1Password Business, or the one built into Microsoft 365) and make it mandatory for shared

  • accounts.

3. Patch Like Your Business Depends on It (Because It Does)

Unpatched software is the #1 infection vector for retail point-of-sale breaches, and the Log4j-style exploits that keep hitting schools and local governments. Resolution: Automate patching and make the third Tuesday of every month sacred.

2026 action plan:

  • Enable auto-updates for Windows, macOS, iOS, Android, and Chrome.

  • Use a lightweight patch management tool (e.g., Automox, NinjaOne, or Microsoft Intune—many start under $5/endpoint/month) for third-party apps like Adobe, Zoom, and your industry-specific software.

  • For government contractors chasing CMMC 2.0 Level 2, document your patch cadence; assessors love seeing 30-day remediation for critical vulnerabilities.

4. Turn Every Employee into a Human Firewall

Phishing now accounts for 90% of breaches across finance, education, and healthcare. One click from an accounts-payable clerk can lock up your entire network. Resolution: Run short, frequent, real-world phishing tests and micro-training.

Low-effort, high-return options:

  • Microsoft Attack Simulation Training (included in Microsoft 365 Business Premium or Defender for Business).

  • Free or low-cost platforms: KnowBe4’s free phishing test, CanIPhish, or GoPhish (open-source).

  • Make the training 2–3 minutes long and run a test every month. People actually improve when it’s quick and painless.

5. See What’s Happening on Every Device

Ransomware actors live off the land for weeks before encrypting. If you can’t see the lateral movement, you’re responding blindly. Resolution: Deploy lightweight endpoint detection and response (EDR) or at least good logging.

Realistic 2026 choices for SMBs:

  • Microsoft Defender for Business ($3/user/month) – already baked into many Microsoft 365 plans.

  • SentinelOne Singularity or CrowdStrike Falcon Go – both have SMB-friendly pricing and one-console visibility.

  • Even if the budget is tight, turn on Windows Advanced Auditing + forward logs to a cheap SIEM like Microsoft Sentinel or Wazuh (free).

Final Thought:

Start Small, Stack Wins. Pick two resolutions for January (most people choose MFA + patching), add one every quarter, and by the end of 2026, you’ll have layered defenses that stop 95%+ of the attacks hitting your peers. Cybersecurity isn’t about being unhackable—it’s about not being the low-hanging fruit when the attackers come knocking. Make 2026 the year your business stops showing up in the breach reports. Your patients, customers, students, and contractors will thank you.

Sean Pennington
Previous

Why Ditch Google Workspace for Microsoft 365

Next

The Night Before Thanksgiving: An IT Nightmare