TL;DR: Guardz's 2026 State of MSP Threat Report, released April 30, 2026, found that 89% of SMBs monitored by Guardz had at least one user with confirmed credential compromise at any given time. The report also documents a 23% surge in session hijacking, a 190% rise in ransomware activity, and a 26:1 non-human-to-human identity ratio across SMB tenants. The headline pattern from the report is captured in one of the Guardz blog summaries: attackers are not breaking in any more, they are logging in. For NC small businesses (manufacturers, construction firms, professional services), the implication is direct: identity is now the perimeter, and treating MFA and credential rotation as a "nice to have" is the single biggest unforced error in 2026.
Key takeaway: If your business has even one user whose password was breached on a third-party site in the last 12 months, you are in the 89%. The defensible posture is not perimeter hardening - it is continuous identity monitoring, MFA on every account that touches business data, and an MSP partner who actively hunts for credential compromise in your Microsoft 365 or Google Workspace tenant.
Need identity security for your NC small business? Preferred Data Corporation has provided managed IT and cybersecurity services to North Carolina small businesses since 1987. Call (336) 886-3282 or request an identity security assessment. Serving the Piedmont Triad, Charlotte, and Raleigh metros.
What is the Guardz 2026 State of MSP Threat Report?
The Guardz 2026 State of MSP Threat Report is built on telemetry from Guardz's platform data lake covering SMB environments managed by MSPs globally from September 2025 through February 2026. Per VMblog's coverage, the dataset spans authentication, email, endpoint, and cloud productivity activity across Microsoft 365 and Google Workspace tenants in North America, EMEA, and APAC. The report is specifically focused on the SMB-via-MSP ecosystem - which is exactly the demographic NC small businesses occupy when they use a managed IT and security partner.
The headline findings:
| Metric | Value | Source |
|---|---|---|
| SMBs with at least one compromised user | 89% | Guardz 2026 MSP Threat Report |
| Session hijacking growth (year over year) | +23% | Guardz 2026 MSP Threat Report |
| Ransomware activity growth | +190% | Guardz 2026 MSP Threat Report |
| Non-human-to-human identity ratio | 25:1 | Guardz 2026 MSP Threat Report |
| RMM tool abuse as share of endpoint detections | 26% | Guardz 2026 MSP Threat Report |
| Top abused RMM tools | ScreenConnect, AteraAgent, MeshAgent | Guardz 2026 MSP Threat Report |
The "compromised users" figure means at least one corporate credential observed in dark-web dumps or info-stealer logs that ties back to a monitored business email. This is not "an attack happened" - it is "the keys are loose in the wild." The conversion rate from loose credentials to successful login varies, but on a long enough timeline the conversion is non-zero.
Why are attackers "logging in" instead of breaking in?
Per Channel Insider's summary of Guardz findings and the Guardz blog post, the shift to identity-based attacks is driven by three structural forces:
- Credential availability is high: Info-stealer malware, third-party breaches, and dark-web markets have produced a vast supply of valid credentials. A typical SMB user has 1-3 reused passwords across 50-200 accounts.
- Defensive investment is asymmetric: SMBs have spent more on EDR and firewalls than on identity controls. Attackers route around the hardened front door and use the back door (a legitimate-looking SSO login from a residential proxy).
- AI scales personalization: AI-generated phishing emails that are grammatically perfect and contextually aware (referring to actual co-workers, projects, vendors) have made credential capture campaigns far more effective.
Per the Help Net Security summary of the IDC SMB cybersecurity spending report, about 81% of SMBs are either unprepared or only partially equipped to handle AI-related threats - and this is the exact gap the identity-based attack era exploits.
What is RMM tool abuse and why is it dangerous for SMBs?
Remote Monitoring and Management (RMM) tools - ScreenConnect, AteraAgent, MeshAgent, Splashtop, AnyDesk - are legitimate software MSPs use to manage customer endpoints. Per the Guardz report, RMM tool abuse accounts for 26% of all endpoint threat detections, the single largest endpoint threat category. The danger:
- Encrypted command-and-control traffic looks like routine MSP activity. Defenders cannot easily tell a legitimate MSP session from an attacker session without explicit allowlisting.
- Spoofed installers: Attackers create modified AteraAgent or ScreenConnect MSI installers that deliver persistent access while appearing as routine deployments.
- Privilege scope: RMM agents typically run with high privileges to perform legitimate management tasks. An attacker with RMM access has effectively root-equivalent control.
Per MSSP Alert's reporting, Barracuda independently documented the same ScreenConnect abuse pattern. For NC SMBs, the defensible posture is RMM tool inventory, explicit allowlisting in EDR, and contractual visibility into the MSP's own RMM hardening (signed binaries, MFA on the RMM console, IP allowlists).
Schedule an identity security assessment →
What is the practical NC small business identity defense plan?
A defensible 60-day identity hardening sprint for an NC small business with 10-200 employees:
| Days | Action | Owner |
|---|---|---|
| 1-7 | Inventory all human and non-human identities (service accounts, API keys, OAuth grants, RMM tokens) | IT + managed security partner |
| 7-14 | Force MFA on every Microsoft 365 / Google Workspace account, no exceptions, no break-glass that isn't logged | IT |
| 14-21 | Enable conditional access: block legacy auth, require compliant device, geo-fence | IT |
| 21-28 | Subscribe to dark-web credential monitoring for company email domain | Managed security partner |
| 28-35 | Audit OAuth grants in M365/Google - revoke unused, document active | IT |
| 35-42 | Rotate all service-account and API-key credentials older than 12 months | IT |
| 42-49 | Implement just-in-time elevation for admin accounts (no standing global admin) | IT |
| 49-56 | Tabletop exercise: simulate a credential-compromise incident | Managed security partner + leadership |
| 56-60 | Document the identity runbook: detection, containment, rotation, communication | Managed security partner |
For an NC SMB without dedicated security staff, a managed partner can compress this to 30-45 days with prebuilt runbooks and tenant-level automation.
What about the 25:1 non-human-to-human identity ratio?
Per the Guardz report and corroborated by The Hacker News expert analysis, the ratio of non-human identities (service accounts, API tokens, OAuth grants, RPA bots, AI agents) to human users in modern SMB cloud environments is roughly 25 to 1. In cloud-native and DevOps-heavy environments, other research from GitGuardian and Rubrik Zero Labs puts the ratio at 45:1 or higher.
For an NC manufacturer with 75 employees, that translates to roughly 1,875 non-human identities - service accounts for ERP-to-EDI integrations, OAuth grants from M365 add-ins, API tokens for backup and monitoring tools, MFA-bypass tokens for headless automation. Most of these:
- Have no documented owner
- Use credentials that have not been rotated in 12+ months
- Run with permissions broader than required for their actual function
- Are not monitored for unusual activity
A focused 30-day NHI sprint - inventory, owner assignment, scope reduction, rotation, monitoring - typically reduces an SMB's NHI attack surface by 60-80% without breaking integrations.
What does the 190% rise in ransomware mean for NC small businesses?
Per the Guardz report telemetry, ransomware activity across monitored SMB environments rose 190% from the prior reporting period. The dominant pattern is "cloud ransomware" rather than the classic on-premise file-encryption flavor: attackers gain initial access via credential compromise, move laterally through OAuth or service-account abuse, exfiltrate data from cloud storage (SharePoint, OneDrive, Google Drive, S3), and extort on the threat of leak rather than encryption.
For NC small businesses, this changes the response runbook:
- Backups alone do not solve cloud ransomware - data is already exfiltrated by the time the ransom note arrives
- Detection windows are shorter - cloud ransomware can complete in hours, not days
- Cyber insurance underwriting is tighter - carriers are explicitly asking about identity controls (MFA, conditional access, OAuth governance) on every renewal
- Notification obligations are broader - state breach laws (including NC's Identity Theft Protection Act) trigger on data exfiltration regardless of encryption
The defensible posture is layered: identity-first prevention, cloud activity monitoring (UEBA-style anomaly detection in M365 and Google Workspace), tested incident response, and pre-arranged legal counsel and notification capacity.
Schedule a cloud ransomware readiness review →
How does AI change the SMB attack equation?
Per the Guardz report and corroborated by the VikingCloud 2026 SMB Threat Landscape Report, AI changes both attacker economics and defender requirements:
On the attacker side
- AI-generated phishing emails reach near-perfect grammar and contextual relevance
- Voice cloning enables CEO/CFO impersonation calls (vishing) at low cost
- AI-assisted reconnaissance reduces target-research time from hours to minutes
- AI helps attackers map an SMB's vendor and integration footprint from public sources
On the defender side
- Behavioral anomaly detection (UEBA) is now table stakes - rule-based detection alone cannot keep up
- Email authentication (SPF, DKIM, DMARC enforcement) closes the spoofing back door
- Security awareness training has to evolve from "spot the typos" to "verify high-risk requests through a second channel"
- An MSP partner that ingests Microsoft 365 and Google Workspace telemetry continuously is fundamentally different from one that runs monthly vulnerability scans
How does Preferred Data Corporation help NC small businesses respond?
We start with an identity security baseline: inventory all human and non-human identities across Microsoft 365, Google Workspace, line-of-business SaaS, and on-premise systems. We enforce MFA, conditional access, and OAuth governance in your tenant - not just deploy the tools, but operate them. We monitor dark-web credential feeds for your email domain and notify on confirmed exposures. We run RMM tool hardening on our own toolchain (signed binaries, console MFA, IP allowlists) and provide the same hygiene as part of our managed IT services. We integrate identity-incident scenarios into tabletop exercises so leadership has rehearsed credential-compromise response. Most NC SMBs do not need a SOC; they need a partner who treats identity as the perimeter and runs it that way.
Frequently Asked Questions
What does the 89% compromised users statistic actually mean?
It means that across Guardz's monitored SMB tenant base, 89% had at least one user with a confirmed credential exposure observed in dark-web dumps, info-stealer logs, or third-party breach data during the September 2025 to February 2026 reporting window. The exposed credential may or may not have been actively used in an attack, but it is in the wild. The defensible response is MFA enforcement plus continuous monitoring.
Are RMM tools too dangerous for SMBs to use?
No. RMM tools are essential for any MSP to manage SMB endpoints at scale. The risk is unmanaged RMM exposure: missing console MFA, unrestricted IP access, unsigned binaries, no allowlisting in EDR, no monitoring for anomalous RMM sessions. A properly hardened MSP toolchain is far safer than the alternative (no remote management, slow patching, missed incidents). Ask your MSP for documented RMM hardening evidence.
How much does identity security cost for an NC small business?
A managed identity security baseline (MFA enforcement, conditional access, dark-web monitoring, OAuth governance, quarterly review) typically runs $15-$35 per user per month for an NC SMB, often bundled into a managed IT and security plan. First-year implementation cost for a 50-user company is in the $8,000-$20,000 range. The economics compare favorably to the $100,000+ floor on a typical SMB ransomware incident.
How is "cloud ransomware" different from classic ransomware?
Classic ransomware encrypts files on endpoints or servers and demands payment for a decryption key. Cloud ransomware exfiltrates data from cloud storage (SharePoint, OneDrive, Google Drive, S3, ERP databases) and threatens to leak or sell it. Backups do not resolve the leak threat. The defensible posture combines identity-first prevention, cloud activity monitoring, and a tested data-exposure incident response runbook.
What is non-human identity (NHI) and why does it matter?
A non-human identity is any digital identity that authenticates to a system but is not a human user - service accounts, API keys, OAuth tokens, SSH keys, machine certificates, AI agent identities. The Guardz 2026 report puts the NHI-to-human ratio at 25:1 across SMB tenants; other research puts it higher. NHIs are the fastest-growing and least-governed attack surface in 2026 because they often have persistent credentials, broad permissions, and unclear ownership.
Does cyber insurance require identity controls?
Increasingly yes. Per the 2026 cyber insurance market analysis, most carriers now require evidence of MFA enforcement on every account, conditional access policies, dark-web monitoring for the company email domain, and an incident response runbook. Carriers are reducing limits or declining renewals for businesses without basic identity controls.
What is the first thing a small business should do this week?
Force MFA on every Microsoft 365 and Google Workspace account, no exceptions. Audit OAuth grants and revoke ones that are not actively used. Subscribe to dark-web credential monitoring for your company domain. These three actions close the highest-impact gaps in under a week and cost less than $500 for a 25-user company. Document what you did so cyber insurance and customer due-diligence questionnaires can reference it.
Related Resources
- Black Kite 2026 third-party breach report manufacturing pressure zone NC
- April 2026 credential theft campaign 35,000 users defense NC
- 2026 SMB breach economics NC small business survival budget
- AI agents inside the perimeter shadow AI governance for NC small business
- Managed cybersecurity services for NC businesses
- Managed IT services for North Carolina businesses
About the author: Preferred Data Corporation has provided managed IT, AI transformation, and cybersecurity services to North Carolina small businesses since 1987. Based at 1208 Eastchester Drive, Suite 131, High Point, NC 27265, we serve manufacturers, construction firms, and professional services organizations across the Piedmont Triad, Charlotte, and Raleigh metros. Call (336) 886-3282 or request an identity security assessment.