TL;DR

AI-powered attacks surged 47% in 2025, with deepfake phishing alone jumping 310% since 2023 — but most SMBs are buying AI-branded security tools without understanding what actually stops these threats. The real defence isn't one magical AI platform; it's layered controls targeting specific attack surfaces: AI-aware email filtering, identity verification for voice/video, prompt injection guardrails on any AI agent touching business data, and a governance framework that treats AI tools like any other third-party vendor.​‌‌​​​​‌‍​‌‌​‌​​‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌‌‌​​‌‍​‌‌​​​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌‌​‌‌‌‍​‌‌​‌​​​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌‌​‌‌‌‍​‌‌​‌‌‌‌‍​‌‌‌​​‌​‍​‌‌​‌​‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

The Threat Landscape Has Changed — And It's Personal

AI didn't invent cybercrime, but it industrialised it. Where attackers once spent weeks crafting a single spear-phishing email, they now generate hundreds of personalised, grammatically flawless messages in minutes. The numbers tell the story: 68% of cyber threat analysts say AI-generated phishing is harder to detect in 2025 than any previous year, and 63% of cybersecurity professionals now rank AI-driven social engineering as their organisation's top threat for 2026.

For SMBs, this is existential. 60% of small businesses that suffer a significant breach close within six months. The average cost of an AI-powered data breach hit $5.72 million in 2025 — a 13% jump — and financial services bore 33% of all AI-driven

incidents. Australian businesses are in the crosshairs too: 20% of companies report being targeted by deepfake attacks daily.​‌‌​​​​‌‍​‌‌​‌​​‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌‌‌​​‌‍​‌‌​​​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌‌​‌‌‌‍​‌‌​‌​​​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌‌​‌‌‌‍​‌‌​‌‌‌‌‍​‌‌‌​​‌​‍​‌‌​‌​‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

What makes this different from traditional threats is scale and believability. AI-generated phishing doesn't have typos. Deepfake voice clones don't sound robotic. The attacker's economics have flipped: cheaper to attack, harder to detect, and the defensive tools marketed as "AI-powered" are not all created equal.

AI-Powered Phishing and Deepfake Social Engineering: The Front Door Attack

Phishing remains the number-one initial access vector. AI has made it dramatically more effective. Large language models generate contextually convincing emails that reference real business relationships, recent transactions, and internal jargon scraped from breached data or public sources. Business Email Compromise (BEC) attacks powered by AI now craft messages that pass both spam filters and human inspection.

Deepfake attacks are the escalation. In one commonly reported pattern, a finance controller receives a voicemail that sounds identical to the CEO — cloned from just seconds of publicly available audio from a conference talk or podcast. The message authorises an urgent wire transfer. These synthetic media attacks grew 62% year-over-year in 2025, primarily targeting enterprise verification systems and financial controls.

What actually works for SMBs:

  • Microsoft Defender for Business (~$6 AUD/user/month) includes AI-driven email protection that analyses writing patterns, sender reputation anomalies, and link behaviour in real time. It catches a meaningful chunk of AI-generated phishing that legacy signature-based tools miss.
  • CrowdStrike Falcon Go (~$30 USD/device/month) provides endpoint detection with behavioural AI that flags unusual process chains — the kind of activity that follows a successful phishing payload. It's designed for organisations without a security team.
  • Identity verification protocols are the cheapest and most effective control against deepfake social engineering. The rule is simple: any financial transaction or credential change requested via voice, video, or email must be confirmed through a separate channel. A phone call to a known number. An in-person check. This costs nothing to implement and stops the majority of deepfake-driven fraud.
  • Security awareness training must now include deepfake examples. Platforms like KnowBe4 and Proofpoint offer AI-specific phishing simulation modules. Budget $2–5 AUD per user per month.

What's hype: Any vendor claiming their tool "detects all deepfakes" is overstating. Detection accuracy varies wildly depending on the model, language, and audio quality. The arms race between generation and detection favours the attacker. Verification protocols beat detection tools every time.

Prompt Injection and AI Agent Security: The New Attack Surface You Probably Haven't Secured

If your business uses AI agents — chatbots handling customer queries, AI assistants with access to internal documents, automated workflows that chain LLM calls to tools and databases — you have a new attack surface that traditional security doesn't cover.

Prompt injection is the single most exploited vulnerability in modern AI systems. An attacker embeds malicious instructions inside data that an AI agent reads: a support ticket, a document, an email subject line. The agent interprets these as commands and executes them. In an enterprise context, this can mean exfiltrating customer data, modifying records, or escalating privileges — all through natural language manipulation.

The risk compounds with agentic AI. Agents chain actions together, access multiple systems, and operate at machine speed. NIST classifies this as "agent hijacking" — a form of indirect prompt injection where malicious instructions hidden in consumed data push the agent toward unintended actions. A single poisoned input can cascade across your CRM, email, and file storage.

The OWASP Top 10 for LLM Applications ranks prompt injection, sensitive information disclosure, and supply chain vulnerabilities as the top three threats. For agentic AI specifically, the top concerns are memory poisoning (corrupting an agent's persistent state), tool misuse (tricking an agent into calling APIs it shouldn't), and privilege compromise.

What actually works for SMBs:

  • Principle of least privilege for agents. Every AI agent should have the minimum access required for its function. A customer-facing chatbot does not need database write access. An internal summarisation tool does not need email-sending capability. Audit what your agents can reach.
  • Input sanitisation and output filtering. Any data fed to an AI agent from external sources (customer inputs, web scraping, third-party APIs) must be sanitised. Products like Lasso Security's MCP Gateway and Protect AI's Guardian enforce context guardrails and monitor prompts in real time. Budget $500–2,000 AUD/month depending on usage.
  • Human-in-the-loop for high-risk actions. Any AI agent action involving financial transactions, data deletion, credential changes, or external communications should require explicit human approval. This is a design choice, not a product — and it's free to implement.

What's hype: "AI firewall" products that claim to block all prompt injections. The academic literature is clear: prompt injection is an unsolved problem in general. Mitigations reduce risk; they do not eliminate it. Any vendor claiming otherwise is not being honest.

Model Theft and AI Supply Chain Risks: Guarding Your Competitive Edge

Model theft — stealing proprietary or fine-tuned AI models — is an emerging threat most SMBs haven't considered. If you've invested in fine-tuning a model on your customer data, sales patterns, or proprietary processes, that model is a valuable intellectual property asset. Attackers targeting model weights, training data, or inference APIs can replicate your competitive advantage overnight.

The broader supply chain risk is equally concerning. The OWASP Top 10 for LLMs flags "LLM supply chain vulnerabilities" at number three: using pre-trained models or plugins from untrusted sources can introduce backdoors, data exfiltration channels, or biased behaviour that's nearly impossible to detect through normal testing.

Practical steps for SMBs:

  • Inventory every AI tool and model your organisation uses. Who provides it? What data does it access? Where are model weights stored? This sounds basic, but most SMBs cannot answer these questions.
  • Vet AI vendors like any other third-party supplier. Ask for SOC 2 reports, data handling policies, and incident response procedures. If a vendor can't provide these, find an alternative.
  • Scan for hallucinated dependencies. AI-generated code can reference packages that don't exist — a growing attack vector where attackers publish malicious packages under those names. Tools like Socket.dev and Snyk detect these automatically. Free tiers cover most SMB needs.

Governance Frameworks: The Boring Thing That Actually Saves You

Technology alone won't solve this. The organisations that survive AI-driven attacks are the ones with governance frameworks that dictate how AI is used, monitored, and responded to when things go wrong.

The essential components for SMBs:

  1. AI usage policy. Document which AI tools are approved, what data can be shared with them, and what tasks require human oversight. This should be a living document, not a one-time exercise.
  2. Vendor risk assessments. Every AI tool gets evaluated against the same criteria: data residency, encryption at rest and in transit, access controls, breach notification timeline, and right to audit. Use the NIST AI Risk Management Framework (AI RMF 1.0) as your reference structure.
  3. Incident response plan updated for AI. Your IR plan needs scenarios for AI-specific incidents: prompt injection leading to data exposure, deepfake-driven fraud, AI agent misconfiguration. Practice these scenarios annually.
  4. Continuous monitoring. The Australian Cyber Security Centre (ACSC) Essential Eight remains the baseline. Layer AI-specific monitoring on top: log all AI agent actions, alert on anomalous tool usage patterns, and review agent permissions quarterly.

Cost reality: A basic AI governance framework can be implemented for $5,000–15,000 AUD for a 50-person SMB using existing staff and open-source templates. That's roughly 0.3% of the average breach cost. It's the highest-ROI security investment you can make.

FAQ

Q: Do SMBs really need AI-specific security tools, or are traditional tools enough? A: Traditional tools miss AI-generated threats. AI phishing passes legacy spam filters because it's grammatically correct and contextually relevant. Deepfake voice attacks bypass call-back verification if you don't have a secondary channel. You need at minimum AI-aware email filtering and identity verification protocols. You do not need every "AI-powered" product on the market.

Q: How much should an SMB budget for AI-specific cybersecurity? A: For a 50-person business, budget $15,000–30,000 AUD per year. This covers endpoint detection (CrowdStrike Falcon Go or similar), email security (Microsoft Defender for Business), security awareness training with AI modules (KnowBe4), and basic governance implementation. Scale up or down based on your industry risk profile.

Q: What's the biggest gap in most SMB security postures right now? A: AI agent access controls. Most businesses deploying AI chatbots, assistants, or automated workflows haven't audited what those agents can access or do. A customer-facing chatbot with access to an internal knowledge base is a data breach waiting to happen. Fix this first — it costs nothing to restrict permissions.

Q: Are Australian businesses specifically targeted? A: Yes. Australian businesses face above-average rates of AI-driven social engineering, with 20% reporting daily deepfake targeting. The ACSC has issued specific guidance on AI-enabled threats. Australian SMBs in financial services, healthcare, and professional services are particularly attractive targets due to high-value data and historically lower security maturity compared to enterprise peers.

Conclusion

AI cybersecurity for SMBs isn't about buying the most expensive AI-branded tool. It's about understanding the specific threats — AI phishing, deepfake social engineering, prompt injection, supply chain risks — and applying targeted, layered controls. The most effective defences are often the cheapest: verification protocols, least-privilege agent design, and a governance framework that treats AI like any other business risk.

Start with an inventory of every AI tool your business uses. Audit what each one can access. Implement a verification protocol for any financial action requested electronically. Train your team on what AI-generated attacks look like. Then layer in the technology: AI-aware email filtering, behavioural endpoint detection, and prompt injection guardrails for any agent-facing systems.

The threats are real and growing. The defences are achievable. The gap between the two is usually just awareness and action.

Visit consult.lil.business for a free cybersecurity assessment tailored to your business.

References

  1. AI Cyber Attacks Statistics 2026: Attacks, Deepfakes & Ransomware — SQ Magazine
  2. Prompt Injection Attacks: The Most Common AI Exploit in 2025 — Obsidian Security
  3. Enterprises Are Racing to Secure Agentic AI Deployments — Help Net Security
  4. NIST AI Risk Management Framework (AI RMF 1.0) — National Institute of Standards and Technology
  5. 25 Social Engineering Statistics That MSPs Should Know About in 2026 — Guardz

Stop Patching Everything: Why Only 1% of Security Bugs Actually Matter (ELI10)

TL;DR

  • Imagine 48,000 people left notes in your mailbox saying "there's a crack in your wall." Only 480 of those cracks are the ones burglars actually use.
  • Security researchers just confirmed: 99% of reported software bugs are never used in real attacks.
  • There is a free government list of the bugs that are being used — and that is the only list that matters.
  • Fixing your locks matters more than worrying about every theoretical crack.

The Giant Pile of "Security Problems" Nobody Is Actually Using

Every year, security researchers find bugs in software. Every bug gets a number — called a CVE — and gets added to a public list. In 2025, there were 48,000 new CVEs [1].

Forty-eight thousand. That is a lot of scary-sounding notifications.

Here is the thing nobody tells you: only about 480 of those bugs were actually used by hackers in real attacks [1]. That is 1%.

Think of it like this: imagine your town has 48,000 doors with slightly broken locks. A burglar is not going to try every single door. They are going to go to the street where the doors are easy to open, the ones they know how to pick, and the ones where they have seen other burglars have success. The other 47,520 doors? Nobody is bothering with them.

So Which 1% Should You Actually Fix?

The good news: you do not have to figure this out yourself. The US government's cybersecurity agency (CISA) keeps a free, public list called the Known Exploited Vulnerabilities catalogue [3]. It is updated constantly and only includes bugs that have real, confirmed evidence of being used against real businesses.

If your business uses software that shows up on that list — fix it fast. That is the 1% that actually matters.

This week is a perfect example. On February 26, the government told every federal agency they had one day to fix a bug in Cisco's network software [5]. Why? Because hackers had figured out how to get full administrator access to these systems without even needing a password [6]. That is not a theoretical risk — it is an active attack.

Even if your business is not a government agency, if you use Cisco SD-WAN networking equipment, you should be patching it right now.

Why Does Patching Everything Actually Make Things Worse?

When you try to fix every single bug on the list, two things happen.

First, your IT person burns out trying to keep up with an impossible task. Second, they start treating every update the same — which means the actually dangerous ones can get lost in the pile.

IBM's annual security report — which looks at thousands of real cyberattacks — found that the biggest attack method in 2025 was not some exotic spy movie hack [2]. It was attackers walking into systems that were missing basic security updates. Simple stuff. But because those businesses were overwhelmed trying to keep up with 48,000 potential bugs, the important patches got delayed.

What Should You Actually Do?

Here is a simple routine that works for a business your size:

Every week: Check the CISA Known Exploited Vulnerabilities list (it is free at cisa.gov). If any software you use appears there — update it before you do anything else that day.

Every month: Update the public-facing software your business uses — your website, any remote access tools (like VPNs), your email system. These are the doors hackers try first.

Every few months: Update everything else, in batches, during a quiet period.

That is it. Not 48,000 updates. A prioritised, manageable routine.

One more thing: IBM found that 82% of modern attacks do not even use software bugs at all [2]. Attackers are just logging in with stolen passwords. So having strong, unique passwords plus two-step verification (MFA) on your key accounts is worth more than scrambling to patch every low-priority bug.

Action List: What to Do Right Now

  1. Bookmark this link: cisa.gov/known-exploited-vulnerabilities-catalog — check it every Monday morning.
  2. Set up MFA (two-step verification) on your email, banking, and any remote access tools. This stops most attacks before any patch matters.
  3. If you use Cisco SD-WAN: update it now. Today. The bug is actively being exploited and allows full admin access without a password [5].
  4. Ask your IT person (or a security consultant) to show you which software your business runs that faces the internet — those are the highest-priority systems.

Being secure does not mean panicking about 48,000 things. It means knowing which 480 things actually matter — and acting on those quickly.

FAQ

A CVE (Common Vulnerability and Exposure) is a numbered security flaw in software that has been officially documented. In 2025, there were 48,000 of them. Think of each one as a notification that says "this software has a potential crack in it."

According to new research from VulnCheck, yes — only 1% of 2025 CVEs were confirmed to be used in real-world attacks [1]. That said, the key is knowing which 1%. The CISA KEV list tells you exactly that.

MFA (Multi-Factor Authentication) means logging in with two steps — your password plus a code sent to your phone or an app. IBM's security research found 82% of modern attacks use stolen passwords rather than software bugs [2]. MFA stops these attacks even if every other patch is behind schedule.

A bug in Cisco's network management software (Catalyst SD-WAN) lets attackers get full admin control without needing any password [5, 6]. It is being actively exploited right now. If your business uses this Cisco product, apply the available update immediately.

Visit cisa.gov/known-exploited-vulnerabilities-catalog. It is free, public, and updated continuously. No account needed.

References

[1] VulnCheck, "2026 VulnCheck Exploit Intelligence Report," VulnCheck, Feb. 2026. [Online]. Available: https://www.vulncheck.com/blog/2026-vulncheck-exploit-intelligence-report

[2] IBM Security, "2026 X-Force Threat Intelligence Index," IBM, Feb. 25, 2026. [Online]. Available: https://www.ibm.com/reports/threat-intelligence

[3] CISA, "Known Exploited Vulnerabilities Catalog," CISA, 2026. [Online]. Available: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

[4] CrowdStrike, "2026 CrowdStrike Global Threat Report," CrowdStrike, 2026. [Online]. Available: https://www.crowdstrike.com/en-us/global-threat-report/

[5] CISA, "Emergency Directive ED-26-03: Mitigate Vulnerabilities in Cisco SD-WAN Systems," CISA, Feb. 26, 2026. [Online]. Available: https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems

[6] "CISA gives agencies until Friday to patch critical cyber bug," Federal News Network, Feb. 26, 2026. [Online]. Available: https://federalnewsnetwork.com/cybersecurity/2026/02/cisa-gives-agencies-until-friday-to-patch-critical-cyber-bug/

[7] Cisco, "Cisco Catalyst SD-WAN Vulnerabilities Advisory," Cisco, Feb. 2026. [Online]. Available: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk

[8] Hackread, "Report Finds Just 1% of Security Flaws Drive Most Cyberattacks in 2025," Hackread, Feb. 27, 2026. [Online]. Available: https://hackread.com/1-security-flaws-drive-cyberattacks-2025-report/

Ready to stop reacting to every security headline and start protecting what actually matters? lilMONSTER helps SMBs build resilient, practical security — without the overwhelm. Talk to us →

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation