Small and medium-sized businesses’ cybersecurity isn’t breaking—it’s not due to unstoppable attacks or futuristic threats reserved for superpowers. It’s mainly breaking due to basic, repetitive, and avoidable mistakes. That’s the core idea of the Cyber Protect Report 2026, in which the company has decided to shift the focus of its annual reports: less threat listing and more attention to operational failures that open the door to a breach.
The change is significant. SonicWall argues that the main problem for many SMEs isn’t that attackers are invincible, but that there are still very predictable vulnerabilities in authentication, patching, network segmentation, remote access, or monitoring. Based on data from a global network of over one million security sensors, the report aims to translate threat intelligence into language more aligned with business: what decisions—or lack thereof—end up costing money, time, and operational continuity.
A more automated, noisier, and more aggressive environment
The figures supporting this message reveal a growing pressure environment. SonicWall states that high- and medium-severity attacks increased by 20.8% in 2025, exceeding 13 billion impacts. Meanwhile, automated bots now generate more than 36,000 vulnerability scans per second, and malicious bot traffic alone makes up 37% of global internet traffic. The report also notes that attacks on IoT grew by 11% to around 610 million and that Log4j continued generating 824.9 million IPS events four years after its public disclosure.
However, SonicWall’s focus isn’t solely on volume but on the nature of exposure. The company asserts that identity, cloud, and credential breaches account for 85% of actionable security alerts—supporting its thesis that a stolen password remains a much more valuable tool for attackers than a rare zero-day exploit. Simultaneously, the report states that 88% of breaches in SMEs during 2025 involved ransomware, more than double the proportion observed in large enterprises.
The seven deadly sins of cybersecurity
Based on this analysis, SonicWall structures its report around what it calls the Seven Deadly Sins of Cybersecurity, seven operational failures that, according to the company, recurrently appear in incident investigations and security audits. The first is ignoring fundamentals: weak authentication, unpatched systems, and excessive privileges remain the most profitable attack surface. The second is false confidence: the false belief that a small business is too insignificant to be a serious target or that existing controls are sufficient without truly testing them.
The third is overexposed access: flat networks, overly permissive rules, and implicit trust once a user authenticates. The fourth is a reactive stance: without 24/7 monitoring or proactive threat hunting. SonicWall highlights an alarming fact here: an average breach goes undetected for 181 days. Channel Insider, summarizing the same report, adds a particularly concerning detail: 44% of security alerts go uninvestigated due to noise overload.
The fifth sin is making security decisions driven by short-term cost, postponing investments that later manifest as incidents and recovery costs. SonicWall estimates that a single breach can cost a SME over $4.91 million when factoring in downtime and recovery. The sixth is reliance on legacy access models, especially traditional VPNs that authenticate once and grant excessive access: during the analyzed period, vulnerabilities related to VPNs (CVE) increased by 82.5%. The seventh and final is chasing hype instead of execution, meaning purchasing new tools without proper deployment and expecting technology to compensate for process deficiencies.
Spain emerges as one of Europe’s most targeted countries
For the Spanish market, SonicWall presents an especially stark view. In the localized version of the report, the company states that Spain was the European country with the highest attack intensity per device in 2025, surpassing Germany, Italy, the UK, France, and even the US in this specific metric. They also report that intrusion attempts detected via IPS in Spain increased by 119.8% year-over-year—the highest increase among examined European markets.
Furthermore, SonicWall claims that web attacks dominated in Spain: 82% of all intrusion activity targeted web infrastructure, with 335.7 million detections attributed to this category. The company describes this as a sustained, technically diverse assault on publicly accessible internet infrastructure. Although this data comes from a provider’s report and should be interpreted with that context, it highlights a particularly relevant exposure scenario for Spanish companies with portals, services, and web applications accessible from outside.
More than a threat report— a message for executives and MSPs
The report also clearly serves a commercial purpose. SonicWall explains that this edition aims to help MSPs and MSSPs engage in more strategic conversations with SME managers, translating technical language into business impact. This doesn’t diminish the report’s value but does require reading with some distance: it’s not a neutral market audit, but a vendor document designed to reshape cybersecurity narratives around execution, operational hygiene, and measurable protection.
Nevertheless, the diagnosis reveals an uncomfortable truth that transcends SonicWall: many organizations are still seeking the magical tool while maintaining weak passwords, legacy remote access, insufficient monitoring, and poorly segmented networks. And if the report is right about one thing, it’s that a significant portion of the risk still stems from these issues—not an unthinkable threat, but from security tasks known for years but often postponed until it’s too late.
Frequently Asked Questions
What are the “seven deadly sins” of cybersecurity according to SonicWall?
They are seven recurring operational failures that, according to SonicWall, explain a large part of breaches in SMEs: ignoring fundamentals, false confidence, overexposed access, reactive posture, cost-driven decision-making, dependence on legacy access models, and chasing hype instead of proper execution.
Which report statistic is most concerning for SMEs?
One of the most alarming is that 88% of breaches in SMEs during 2025 involved ransomware—more than double the rate observed in large enterprises, according to SonicWall.
Why does SonicWall emphasize credentials rather than zero-days?
Because the report states that 85% of actionable security alerts relate to identity, cloud, and credential compromises. The thesis is that stolen passwords remain one of the attacker’s most effective tools.
What does SonicWall say about Spain in this report?
The localized version states that Spain was the European country with the highest attack intensity per device in 2025, and that malicious web infrastructure traffic was particularly high.