A recent study highlights a troubling paradox in the small and medium-sized business cybersecurity landscape. While spending on security solutions is set to surge—Network Detection and Response is expected to grow by 118% and Managed Detection and Response by 107%—readiness among these businesses remains critically low. The research from Techaisle reveals that 83% of small and medium-sized businesses do not conduct formal security awareness training, and 46% lack established protocols for responding to incidents. This operational gap is alarming, as the average financial loss from a security incident for these businesses stands at $1.6 million. The study emphasizes that technology alone cannot solve the underlying issues of process and expertise that leave many businesses vulnerable.
Microsoft has issued a warning about the rise of opportunistic cyber criminals targeting large businesses, with more than half of cyber attacks now driven by extortion and ransomware. According to their sixth annual Digital Defense Report, attackers aimed to steal data for financial gain in 80 percent of cyber incidents investigated last year, with at least 52 percent of those incidents motivated by financial reasons. The report highlights that critical public services, such as hospitals and local governments, are particularly vulnerable due to limited cybersecurity budgets and incident response capabilities. Meanwhile, nation-state actors are also evolving their tactics, with China increasing its espionage efforts and North Korea exploiting remote IT workers to generate revenue and conduct cyber attacks. Microsoft emphasizes the need for organizations to stay informed about these threats and collaborate with industry peers and governments to enhance their defenses.
Why do we care?
Here’s the paradox: SMBs are throwing money at cybersecurity — MDR spending up 107%, NDR up 118% — but they’re not getting safer. The bottomless money pit of security.
Techaisle says 83% of small businesses don’t even do security awareness training, and half don’t have an incident response plan. That’s not security — that’s buying comfort.
And Microsoft’s new report backs it up: more than half of attacks are now financially driven. Ransomware, extortion, data theft — it’s all about money. And the bad guys? They’re going where the defenses are weakest — small businesses and public services that have tools but no plan.
So here’s what this means for MSPs: this is your opportunity. Clients are spending; they just need you to turn tools into readiness. Build process. Train people. Run tabletop exercises.
Because until you help them operationalize security, they’re not secure — they’re just buying products and hoping for the best. Cybersecurity is not about tools, it’s about preparedness, and a simple well executed plan that is appropriate for the business is the real value.

