Guardz 2026: 9 of 10 SMBs Have Compromised Users - NC Plan

TL;DR: Guardz's June 2026 MSP threat report found that 90% of small and mid-size businesses have at least one compromised user account, ransomware activity climbed 190%, session hijacking is up 23%, and non-human identities outnumber human users 25 to 1. AI is the multiplier behind every line. For NC small businesses, that means the perimeter is dead, identity is the new perimeter, and password-only or even MFA-only defenses are no longer enough. The fix is identity threat detection and response (ITDR), managed XDR, and an MSP partner running 24/7 monitoring across endpoint, identity, email, and cloud.

Key takeaway: If your defense strategy still revolves around firewalls, MFA, and antivirus alone, you are protecting 2018's attack surface against 2026's adversaries. The SMBs that survive 2026 are running managed identity and XDR programs, not single-tool stacks.

Worried at least one of your users is already compromised? Preferred Data Corporation runs managed identity and XDR for NC small businesses. Call (336) 886-3282 or request a credential exposure check.

What did the Guardz 2026 MSP threat report find?

The report documents a structural shift in the SMB attack surface caused by AI-driven attacker tooling. Per Channel Insider's coverage and the official PR Newswire release, the headline statistics are:

• 90% of SMBs have at least one compromised user account. Credential leakage, infostealer infections, or session cookie theft is the dominant breach precursor.
• Ransomware activity up 190% year over year. AI is compressing reconnaissance, initial access, and encryption phases.
• Session hijacking up 23%. Attackers steal authentication cookies after the user has cleared MFA, then replay them from attacker infrastructure.
• Non-human identities outnumber human users 25 to 1. API keys, service accounts, OAuth tokens, automation principals, AI agent credentials. Each one is a credential the SOC has to track.
• Cloud ransomware shifted into SharePoint and OneDrive. Attackers no longer need to encrypt the endpoint; they can encrypt the documents inside the cloud tenant.
• 31% of users now have at least one compromised password every month with attackers using AI to optimize wordlists by region and habit.

The picture this paints is consistent with the Verizon 2026 DBIR, ConnectWise's 2026 MSP Threat Report, and the BlackFog 2026 State of Ransomware report: identity is the new perimeter, AI is the multiplier, and SMBs are the dominant victim profile.

Why is identity the new perimeter in 2026?

Because attackers no longer have to break the network; they only have to log in. Per Guardz, ConnectWise, and the Verizon DBIR, the dominant initial access vectors in 2026 are vulnerability exploitation of internet-exposed services, credential theft via infostealers, and session cookie replay after MFA. All three converge on identity:

• Infostealer-as-a-service sells credentials, cookies, autofill data, MFA tokens, and crypto wallet keys per device for less than $10.
• AI-driven phishing generates personalized lures from LinkedIn, M365, and supplier-network reconnaissance in seconds.
• Session cookie theft bypasses MFA because once a user has cleared MFA, the cookie carries the entire authenticated state, and the attacker just imports it into their own browser.
• Non-human identities rarely have MFA, rarely have alerting, and rarely have rotation policies. AI agents and automation services compound the problem.

The defender response is identity threat detection and response (ITDR) plus managed extended detection and response (XDR) that fuses endpoint, identity, email, and cloud telemetry into a single 24/7 operations function.

What does 190% ransomware growth mean for NC small businesses?

It means the bell curve has moved. Per Guardz, BlackFog's 2026 report, and the Verizon 2026 DBIR, 88% to 96% of ransomware victims with known size are SMBs. The average SMB ransomware incident now costs $254,000 in recovery, and 60% of SMBs hit by ransomware close within six months per industry sources.

For a Piedmont Triad SMB, three exposure layers stack:

• Endpoint. EDR/MDR with tamper protection and behavior detection. Defender for Business, SentinelOne, CrowdStrike Falcon, Sophos Intercept X, or equivalent. Standalone antivirus is no longer adequate.
• Identity. MFA on every user account, conditional access in M365 or Google Workspace, phish-resistant MFA (FIDO2 / passkeys) for admins, and a session-cookie revocation policy.
• Cloud. Backup of M365 and Google Workspace data to an immutable, off-tenant location. Cloud ransomware can and does encrypt SharePoint and OneDrive directly.

Quotable definition: A compromised user in the 2026 Guardz MSP report is any user account for which the attacker has at least one valid credential, valid session cookie, or active OAuth grant in the SMB's identity, email, or cloud environment, regardless of whether the breach has been detected.

What should an NC small business do this quarter?

Run a credential exposure check, harden identity, deploy managed XDR, and document everything for cyber insurance.

1. Run a credential exposure check on every user. Tools like Have I Been Pwned, breach intel feeds, and infostealer log scans against your M365 / Google tenant. If 9 of 10 SMBs have a compromised user, you almost certainly do too.
2. Force a tenant-wide password and session rotation. Revoke every active M365 / Google session, force re-auth, rotate any leaked credentials. Then turn on conditional access so future sessions check device compliance, location, and risk.
3. Deploy phish-resistant MFA for privileged accounts. FIDO2 hardware keys or passkeys for all administrators, finance, and HR. SMS-based MFA is no longer adequate.
4. Inventory non-human identities. Every API key, service account, OAuth grant, automation principal, and AI agent token. Rotate where you can, alert where you cannot.
5. Deploy managed XDR + ITDR. Single-tool stacks miss the cross-surface attack patterns. A 24/7 managed SOC that fuses endpoint, identity, email, and cloud telemetry is the structural defense in 2026.
6. Document for cyber insurance. MFA enforcement, EDR/MDR coverage, immutable backup, identity monitoring, incident response retainer. Per Velocity Technology Group's 2026 SMB insurance brief, more than 73% of SMBs fail cyber insurance audits in 2026.

Need this restructured and operated for your business? Call (336) 886-3282 or contact Preferred Data Corporation for a managed identity and XDR program.

Why is this a managed-MSP problem, not a single-tool buy?

Because the attack surface is structurally multi-domain (endpoint + identity + email + cloud + supply chain + AI agents) and the labor model that catches it is 24/7 multi-domain triage. Per ConnectWise and Guardz, the SMB victim profile in 2026 is small businesses that bought best-of-breed point tools but had no integrated 24/7 operations function on top of them. The MSP economics work because the SOC, ITDR, XDR, RMM, EDR, and backup stacks spread across many clients, while one in-house generalist cannot economically operate them alone.

For a Piedmont Triad SMB, the right answer is to choose an MSP that runs the full managed identity and XDR stack, evidences it for insurance, and partners on incident response. Preferred Data Corporation has delivered that managed protection to North Carolina small businesses since 1987, from our High Point headquarters and on-site across the Piedmont Triad, Charlotte, Greensboro, Raleigh, and Winston-Salem.

PDC supports this through managed cybersecurity, managed IT services, and data protection and backup.

Frequently Asked Questions

Where did the "9 out of 10 SMBs" statistic come from?

From Guardz's June 2026 MSP Threat Landscape report, which analyzed compromise indicators across thousands of SMB tenants under MSP management. Per Channel Insider's coverage, the number reflects users with at least one valid credential, cookie, or OAuth grant in attacker hands, not necessarily users whose accounts have already been used in an active attack.

Is MFA still useful in 2026?

Yes, but it is no longer sufficient on its own. MFA materially reduces credential-only attack success, which is why per the Verizon 2026 DBIR attackers shifted to vulnerability exploitation (31% of breaches) and session cookie theft. The 2026 baseline is phish-resistant MFA (FIDO2 / passkeys) for privileged accounts and conditional access policies that re-evaluate risk per session.

What is identity threat detection and response (ITDR)?

A category of security tooling and managed service focused on the identity layer: detecting impossible-travel sign-ins, anomalous OAuth grants, suspicious mailbox forwarding rules, token theft, privilege escalation, and non-human identity abuse. ITDR sits alongside EDR and email security as one of the three core 2026 SMB defenses. Managed XDR fuses all three.

Does cloud ransomware target small businesses?

Yes, and increasingly so. Per Guardz and BlackFog's 2026 report, attackers now encrypt SharePoint, OneDrive, and Google Drive files directly via stolen OAuth tokens or session cookies. SMBs that backed up only their endpoints, not their cloud tenant, have no clean restore path.

Can our in-house IT team operate ITDR + XDR?

For very small businesses (under 25 endpoints, single tenant, no on-prem systems) possibly, with the right tooling. For 25-500 person Piedmont Triad SMBs with mixed cloud, on-prem, manufacturing OT, and supplier network exposure, the structural answer is no. A managed program from an MSP that runs the stack across many clients is the only economical way to maintain 24/7 multi-domain coverage at SMB scale.

Related Resources

• Managed Cybersecurity Services for NC Businesses - ITDR, XDR, 24/7 SOC
• Managed IT Services for NC Businesses - Patching, RMM, identity governance
• Data Protection and Backup Services - Immutable cloud backup
• Storm Infostealer Session Theft MFA Bypass NC SMB Defense - Cookie theft deep dive
• DBIR 2026 Remediation Paradox NC SMB 43-Day Patch Gap - Why managed patching is mandatory
• Contact Preferred Data Corporation - Credential exposure check for NC SMBs