TL;DR: SonicWall's 2026 Cyber Protect Report reframes the annual research around SMB protection outcomes rather than raw threat statistics, and the headline number is brutal: 88% of SMB breaches in 2025 involved ransomware, more than double the rate at large enterprises per the Verizon 2025 DBIR. High and medium severity attacks surged 20.8% to more than 13 billion hits, and automated bots now generate more than 36,000 vulnerability scans per second, accounting for over half of all internet traffic per SonicWall and MSSP Alert. The report names "Seven Deadly Sins" behind repeat SMB breaches; this post walks NC SMB owners through the five most clearly enumerated in public summaries and the defense plan that follows.
Key takeaway: SonicWall's reframe matters because it stops measuring security by activity (alerts processed, tools purchased, scans run) and starts measuring it by outcomes (breaches avoided, dwell time reduced, recovery time shortened). For NC small businesses, that is the difference between paying for a SOC dashboard and paying for the result the dashboard is supposed to produce.
Need an outcome-based security maturity review for your NC SMB before Q3? Preferred Data Corporation has run managed IT and cybersecurity for NC small businesses since 1987 from High Point. Call (336) 886-3282 or book a security gap assessment.
What does the SonicWall 2026 Cyber Protect Report actually say?
SonicWall's 2026 edition is the first built around SMB protection outcomes rather than threat-stat theater. Per Security Systems News and the SonicWall newsroom, the message to SMB owners is that the volume of attacks is no longer the story; the gap between what SMBs spend on security tooling and what those tools actually prevent is the story.
Four data points an NC SMB owner should write down:
- 88% of SMB breaches in 2025 involved ransomware. Per the Verizon 2025 DBIR and reinforced in the SonicWall report, that is more than twice the rate seen at large enterprises. SMBs are not occasional targets; they are the preferred targets.
- High and medium severity attacks +20.8%, to more than 13 billion hits. Per Cybersecurity Asia, the threat surface is not just expanding; the dangerous slice of it is growing fastest.
- Automated bots now run more than 36,000 vulnerability scans per second. Per MSSP Alert, bots account for more than half of all internet traffic. Your NC SMB's firewall, login page, and VPN endpoint are getting prodded constantly, regardless of size or industry.
- Reframe to outcomes. Per Security Systems News, the 2026 report deliberately moves the measurement away from "how many threats did we see" and toward "what did the SMB customer actually walk away protected from."
For an NC SMB in High Point, Greensboro, Winston-Salem, Charlotte, Raleigh, or anywhere across the Piedmont Triad and Research Triangle, the implication is straightforward: the bots do not care if you make injection-molded parts for an automotive Tier 2 in Davidson County or run a 30-person law firm in Forsyth County. They scan, they probe, they move on to whichever target collapses first.
What are the "Seven Deadly Sins" of SMB cybersecurity?
SonicWall enumerates seven sins. Public summaries from SonicWall, MSSP Alert, and Cybersecurity Asia consistently describe the following five in detail. SonicWall lists two additional sins in the full report; for accuracy, we recommend reading the full 2026 Cyber Protect Report directly rather than relying on a third-party summary for sins six and seven.
| Sin | What it looks like in an NC SMB | Why it gets breached | Fix |
|---|---|---|---|
| 1. Ignoring the Fundamentals | Shared admin passwords, unpatched servers, every user a local admin | Attackers do not need 0-days when MFA is off and a 2022 CVE is still open | Enforce MFA everywhere, monthly patch cadence, least-privilege admin |
| 2. False Confidence | "We are too small to be a target," untested backups, no tabletop exercises | The control exists on paper; nobody has verified it works under attack | Quarterly tabletops, restore drills, third-party control testing |
| 3. Overexposed Access | Flat LAN, ERP and HVAC on the same VLAN, "any-any" firewall rules | Once one endpoint is owned, the entire network is owned | Network segmentation, zero-trust access, deny-by-default firewall |
| 4. Reactive Security Posture | No 24/7 monitoring, alerts triaged Monday morning, no threat hunting | Attackers set the timeline; you find out from a customer or law enforcement | 24/7 MDR, weekly threat hunts, defined response runbooks |
| 5. Cost-Driven Security Decisions | "We will do it next budget cycle," cheapest EDR, no security headcount | Security spend is treated as overhead, not as loss prevention | Security budget as defined % of IT spend; outcome-based contracting |
Each sin maps to a measurable outcome. SonicWall's argument and ours is that you should not buy "a firewall" or "a SIEM"; you should buy "MFA enforcement on 100% of identities" or "median dwell time under 24 hours." The tool is the means; the outcome is what you are paying for.
Why does 88% of SMB breaches involving ransomware matter for NC small businesses?
The 88% figure matters because it describes an asymmetry that NC SMBs cannot wish away. Per the Verizon DBIR data referenced in the SonicWall report, SMBs face essentially the same attacker class as large enterprises, with a fraction of the budget, headcount, and tooling. The ransomware operators do not discriminate; they aim where the controls are weakest.
For three NC SMB segments in particular, the asymmetry is acute:
- NC manufacturers. A High Point furniture supplier, a Lexington precision-machining shop, or a Greensboro automotive Tier 2 has ERP, MES, CNC controllers, and shop-floor IoT on networks that historically were not designed with ransomware in mind. The 88% figure is the cost of that historic design choice.
- NC construction firms. A Charlotte general contractor or a Raleigh civil engineering firm runs project files, BIM models, and CAD on shared drives that are often the first thing encrypted. Without segmented backups, the entire bid pipeline goes dark.
- NC professional services. A Winston-Salem CPA practice, a Triad insurance brokerage, or a Piedmont legal firm holds client PII, payroll, and tax data that ransomware crews monetize twice (encryption plus extortion-leak).
The defense work is the same across all three; the urgency is what differs. A ransomware event at a 40-person NC SMB is an existential event, not a quarterly hit to a parent company's earnings.
Which of the Seven Deadly Sins is your NC SMB most likely committing right now?
Walk this checklist with whoever owns IT in your business. If you answer "no" or "I do not know" to any item, that sin is currently active.
Sin 1: Ignoring the Fundamentals
- Is MFA enforced (not just available) for every Microsoft 365 / Google Workspace user, including service accounts and shared mailboxes?
- Have you applied all critical patches to internet-facing systems (firewall, VPN, RMM, email gateway) within the last 30 days?
- Is local admin disabled for non-IT staff on every laptop and desktop?
Sin 2: False Confidence
- Have you tested a full restore from backup in the last 90 days, not just verified the backup ran?
- Have you run a tabletop exercise (paper-based incident walkthrough) with leadership in the last 12 months?
- Has an independent third party tested your controls (penetration test, configuration audit, or gap assessment) in the last 12 months?
Sin 3: Overexposed Access
- Are guest Wi-Fi, OT/shop-floor networks, and corporate workstations on separate VLANs with deny-by-default rules between them?
- Do users only have access to the file shares and applications they need for their current role?
- Are dormant accounts (former employees, finished contractors) disabled within 24 hours of departure?
Sin 4: Reactive Security Posture
- Is someone (in-house or outsourced) actually watching security alerts 24/7, including weekends and holidays?
- Do you have a documented incident response runbook, and does the on-call rotation know where it lives?
- Do you proactively hunt for indicators of compromise, or only investigate alerts after they fire?
Sin 5: Cost-Driven Security Decisions
- Is security funded as a defined percentage of IT spend, or as whatever is left over?
- When a security control is deferred, is the deferral documented with the residual risk owner named?
- Are you measuring outcome metrics (mean time to detect, mean time to recover, % of identities with MFA) or only activity metrics (tickets closed, scans run)?
A reasonable NC SMB benchmark: if you answered "no" to more than three of the fifteen questions above, you are committing at least one sin actively, and the 88% ransomware rate is the population you statistically sit inside.
Key takeaway: The Seven Deadly Sins are not failures of tooling; they are failures of operating discipline. NC SMBs that close the fundamentals, test their controls, segment their networks, monitor 24/7, and budget security as loss prevention move out of the breach-probable cohort even without buying a single additional product.
Want a 60-minute Seven Deadly Sins gap walk for your NC SMB with a written remediation list at the end? Call (336) 886-3282 or book the gap assessment.
What does an outcome-based SMB security program actually look like?
An outcome-based program is built around five anchors that map directly to the sins. The point is not the list of products; it is the measurable result each anchor produces.
| Sin | Outcome Metric | Tool / Service Layer |
|---|---|---|
| Ignoring the Fundamentals | 100% MFA enforcement, 30-day patch SLA, zero local admin | Conditional access, RMM with patch automation, LAPS |
| False Confidence | Quarterly tested restores, annual tabletop, annual third-party test | Immutable backups, IR runbook, pen test partner |
| Overexposed Access | Segmented network, least-privilege RBAC, 24-hour offboarding SLA | Firewall with VLAN policy, identity governance, joiner/mover/leaver workflow |
| Reactive Security Posture | 24/7 alert coverage, median MTTD < 24 hours, documented runbook | MDR / managed XDR, SIEM, IR retainer |
| Cost-Driven Security Decisions | Security as defined % of IT budget, risk-owned deferrals | Outcome-based MSP/MSSP contracts, vCISO oversight |
A few things this table does not promise. It does not promise zero breaches; nothing does. It does not promise a specific dollar figure; security spend scales to risk profile, industry, and regulatory exposure. What it does promise is a defensible posture: if a breach does happen, the SMB owner can show that fundamentals were enforced, controls were tested, access was constrained, monitoring was continuous, and budget reflected risk. That is the posture that survives insurer audits, customer due-diligence questionnaires, and post-incident litigation.
For NC manufacturers chasing CMMC, NC defense suppliers chasing DFARS, NC healthcare-adjacent SMBs touching HIPAA data, and NC firms in the Piedmont Triad working with regulated customers, the same outcome anchors satisfy most of the compliance overlay. The compliance documentation comes for free once the operating discipline is real.
How does Preferred Data Corporation address the Seven Deadly Sins for NC SMBs?
PDC has run managed IT and cybersecurity for NC small businesses since 1987 from High Point, with a 20+ year average client tenure and an on-site service radius of 200 miles. The Seven Deadly Sins map cleanly to three of our service lines.
- Managed IT services addresses Sin 1 (Fundamentals) and Sin 5 (Cost-Driven Decisions). MFA rollout, patch management with monthly SLAs, least-privilege admin enforcement via Local Admin Password Solution or equivalent, RMM-driven configuration drift detection, and a documented monthly executive report that turns activity into outcome metrics an owner can read in five minutes.
- Cybersecurity services addresses Sin 2 (False Confidence) and Sin 4 (Reactive Posture). 24/7 managed detection and response, quarterly restore testing, annual tabletop facilitation with named NC SMB executives in the room, third-party-style gap assessments, threat hunting on the customer estate, and an incident response runbook tied to a defined on-call rotation.
- Network infrastructure services addresses Sin 3 (Overexposed Access). VLAN segmentation between corporate / OT / guest, deny-by-default firewall policy review, zero-trust network access rollout for remote staff and vendors, and architecture review for NC manufacturers whose ERP and shop-floor controllers sit on networks that were designed before ransomware was the default attacker business model.
For an NC manufacturer in High Point or Lexington whose CNC controllers share a VLAN with the accounting laptops, for an NC construction firm in Charlotte whose BIM files live on a flat file server, for an NC professional services firm in Greensboro or Winston-Salem whose backups have never been test-restored, and for an NC distributor in the Triad whose VPN appliance has not seen a patch in 14 months, the Seven Deadly Sins are not abstract; they are the to-do list for the next 90 days.
Need a Seven Deadly Sins remediation roadmap scoped to your NC SMB? Call (336) 886-3282 or book the scoping call.
Frequently Asked Questions
What are the Seven Deadly Sins of SMB cybersecurity in SonicWall's 2026 report?
Per SonicWall's announcement and MSSP Alert's coverage, the five sins consistently detailed in public summaries are: Ignoring the Fundamentals, False Confidence, Overexposed Access, Reactive Security Posture, and Cost-Driven Security Decisions. SonicWall lists two additional sins in the full report; we recommend reading the SonicWall report directly for the authoritative definitions of sins six and seven rather than relying on summaries.
Why are 88% of SMB breaches ransomware?
Per the Verizon 2025 DBIR data cited in the SonicWall report, SMBs are more than twice as likely as large enterprises to see a breach involve ransomware. The reason is asymmetric: SMBs face the same attacker class but operate with smaller budgets, smaller security teams, weaker network segmentation, less mature backup strategies, and slower patch cadences. Ransomware operators run their business by finding the lowest-cost path to monetization, and SMB controls are statistically the lowest-cost path.
What does "Reactive Security Posture" actually mean for a small business?
It means the SMB only investigates security events after an alert fires, a user complains, or a customer reports an issue, and that nobody is watching during nights, weekends, or holidays. The attackers know this; they time intrusions to maximize the dwell window. The fix is 24/7 managed detection and response, a documented runbook the on-call rotation can execute under pressure, and routine threat hunting that looks for indicators of compromise even when no alert has fired.
How much should an NC small business spend on cybersecurity?
There is no single percentage that fits every NC SMB; spend scales with industry, regulatory exposure, data sensitivity, and customer due-diligence requirements. A common benchmark range cited by industry analysts is 10% to 15% of total IT spend for SMBs without a regulatory overlay, with manufacturers chasing CMMC, healthcare-adjacent firms touching HIPAA data, and defense suppliers chasing DFARS typically landing higher. The SonicWall report's point is that the percentage matters less than the outcome the spend produces; "cheap and ineffective" is more expensive than "right-sized and tested" once a ransomware event is priced in.
What's the highest-ROI security control for an NC SMB?
For most NC SMBs, MFA on every identity (including service accounts, shared mailboxes, and admin accounts) is the single highest-ROI control. It addresses the credential-theft front door that fuels the majority of the ransomware chain, costs almost nothing in software terms when bundled with Microsoft 365 or Google Workspace, and removes the bulk of automated credential-stuffing risk against the 36,000+ vulnerability scans per second that bots are running against the internet right now. Second highest is patching internet-facing systems within 30 days; third is offline / immutable backups.
Should an NC SMB run 24/7 monitoring in-house or outsource it?
For the overwhelming majority of NC SMBs, outsource it. Running a true 24/7 in-house security operations function requires a minimum of five to six trained analysts to cover shifts, vacations, and burnout, plus the SIEM tooling and the playbooks. That headcount is typically out of reach for SMBs under a few hundred employees. A managed detection and response provider (or a managed IT firm with an MDR partner) buys the outcome (24/7 coverage, median time to detect under 24 hours) at a fraction of the headcount cost, and the contract makes the outcome contractual rather than aspirational.
Related Resources
- Managed IT Services - MFA enforcement, patching, least-privilege admin, monthly outcome reporting
- Cybersecurity Services - 24/7 MDR, tabletop facilitation, restore testing, threat hunting
- Network Infrastructure Services - VLAN segmentation, zero-trust access, deny-by-default firewall policy
- Contact Preferred Data Corporation - Seven Deadly Sins gap assessment for NC SMBs
- The Gentlemen Ransomware: 90% Affiliate Split and SMB Defense - Companion ransomware ecosystem post
- 94% SMB MSP Adoption: Why In-House IT Is No Longer Viable - Companion MSP economics post
- 73% SMB Cyber Insurance Failure: NC Audit Defense Plan - Companion insurance / audit post