Network security dashboard showing authentication monitoring and patch status across managed endpoints

Weekly Briefing • June 08, 2026

Brian here. SonicWall released their 2026 Cyber Protect Report this month, and the findings line up with what we see across the practices we manage in Ohio: the firms that get breached aren't failing because of sophisticated attacks. They're failing because of predictable, preventable gaps.

SonicWall makes the firewalls we deploy in every managed environment. Their data comes from the same class of hardware sitting in your server room right now. So when their report identifies the most common ways businesses get compromised, it's directly relevant to how your network is protected — and where the gaps tend to hide.

The Number That Should Change How You Think About Email

Cysurance — the warranty provider behind the coverage that comes with your managed services — reports that 98% of their claims are from business email compromise and funds transfer fraud. Not ransomware. Not data breaches. Someone gets a convincing email, updates payment details, and money goes somewhere it shouldn't.

Key Insight

98% of cyber insurance claims are business email compromise and funds transfer fraud — not ransomware, not malware. Just someone deceived into sending money to the wrong account. — Cysurance, via SonicWall 2026 Cyber Protect Report

In many of those cases, no system was actually compromised. No credentials were stolen. No malware was deployed. An employee was simply deceived into wiring money to the wrong account. Cysurance is now seeing employees lose their jobs over authorizing these payments — people who were acting in good faith, following what looked like legitimate instructions.

The fix costs nothing: any change to payment information gets verified by a phone call to a known number. Every time. No exceptions. Not by email. Not by chat. A voice call to a number you already have on file — not the number in the email.

If your firm handles client funds — trust accounts, escrow, patient billing, vendor payments — this is the conversation you need to have with your staff this week.

85% of Alerts Start with Stolen Credentials

SonicWall's data shows that identity, cloud, and credential compromise account for 85% of actionable security alerts. The most common way attackers get into environments isn't through some exotic vulnerability. It's a stolen password.

Two numbers from the report frame the problem. Exploits appear within 48 hours of a vulnerability becoming public in 61% of cases. But the average organization takes over 100 days to patch a high-severity vulnerability. That gap — hours on the attacker's side versus months on the defender's — is a process failure, not a technology failure.

What we see in practice is simpler than a sophisticated attack. End users suspend or disable Windows updates because restarting in the middle of the workday is inconvenient. And that's just the operating system — BIOS, drivers, firmware, and peripheral updates almost never get touched at all. Every one of those is a door left unlocked, sitting open for months.

The report also found that 66% of small and mid-size businesses globally haven't implemented multi-factor authentication at all. We enforce MFA on every admin account, every remote access connection, and every cloud application across our managed environments — no exceptions. The SonicWall data shows exactly why that policy exists.

"We're Too Small to Be a Target"

Ransomware was involved in 88% of small business breaches in 2025, compared to 39% at large enterprises. Small businesses aren't safer because they're small. They're more exposed because they've traded complexity for convenience — flat networks, broadly shared admin credentials, and VPN connections that grant access to everything once someone logs in.

Automated scanning tools don't filter by company size. They filter by vulnerability. SonicWall measured over 36,000 vulnerability scans per second across the internet in 2025. If your systems are exposed, you're a target regardless of your revenue or your headcount.

The SonicWall report found the same pattern in post-incident reviews of compromised SMB environments: a single admin account was the entry point, and from there, the attacker moved without resistance. Default credentials on network devices, shared admin passwords, and accounts that hadn't been reviewed in years gave attackers immediate, broad access.

Almost every client we onboard arrives with a flat network and shared admin credentials. Network segmentation has never come up — not because anyone made a bad decision, but because it never made the priority list. And if they have a firewall at all, it usually hasn't been updated since the day it was installed, along with most of the other devices on the network.

What the Patch Gap Actually Looks Like

SonicWall found that 32% of ransomware incidents in 2025 started with an exploited vulnerability — making it the single most common technical cause, ahead of compromised credentials and phishing. The Log4j vulnerability, discovered four years ago, was still targeted over 825 million times last year.

Old vulnerabilities don't retire. They accumulate. Every unpatched system is a door that attackers already have the key to — they just need to find it, and automated tools make that search almost instantaneous.

This is why patch management isn't a quarterly project in our managed environments. N-Sight runs automated patching on a continuous cycle, prioritizing internet-facing and critical systems. The window between "vulnerability disclosed" and "patch applied" is where breaches happen, and our job is to keep that window as small as possible.

N-Sight monitoring dashboard showing patch management status and device monitoring across a managed environment of 71 endpoints

A live view from one of our managed environments — patch status, device monitoring, and unmonitored-device tracking across 71 endpoints. Continuous patching keeps the disclosure-to-patch window as small as possible.

One Thing to Do This Week

Talk to your office manager or bookkeeper and establish one rule: any request to change payment information — whether it comes from a vendor, a partner, or an internal email that looks like it came from leadership — gets verified by a phone call to a number you already have on file. One conversation. One rule. It addresses the single largest category of financial loss that the warranty provider backing your coverage sees across their entire book of business.

Brian Sammons has managed IT environments for Ohio professional service firms since 2002. He writes the Weekly Briefing to help practice managers understand what's happening in cybersecurity and what it means for their firms.

Questions about how this affects your environment? Schedule 15 minutes and I'll walk you through it.