55% of small and medium-sized businesses in North America lack basic email security protections, according to new research from cyber risk intelligence provider KYND. The figure stands at 54.9%, compared with 31.7% of small and medium-sized enterprises in the UK.
The research points to broad cyber exposure among smaller companies. It also shows a large coverage and advisory gap for cyber insurers and brokers working with the SMB market.
KYND analyzed 7,980 SMBs across the U.S. and Canada, along with 830 UK SMEs. The study found common weaknesses in cyber hygiene, including poor email authentication, outdated software, and exposed internet-facing services.
Those weaknesses are often linked to phishing, ransomware, and business email compromise attacks. Many of them are visible from outside a company’s network.
54.9% of North American SMBs and 31.7% of UK SMEs had missing or invalid SPF and DMARC email authentication controls. Weak or absent controls increase exposure to phishing, impersonation, and fraud.
Outdated software remains another widespread issue. The research found 51% of North American SMBs and 55.1% of UK SMEs were running old software, widening their exposure window to cyber threats.
The study also found exposed file-sharing services using Server Message Block. Those were present at 10.7% of North American SMBs and 8.0% of UK SMEs.
Exposed remote access systems using Remote Desktop Protocol were found at 9.5% of North American SMBs and 5.8% of UK SMEs.
In some cases, companies had both remote access and file-sharing services exposed at the same time. That combined exposure affected 4.3% of North American SMBs and 2.7% of UK SMEs. It creates several possible entry points for attackers.
These weaknesses are commonly used in real-world attacks. Ransomware and business email compromise continue to account for a large share of cyber insurance claims worldwide.
Ransomware attacks are set to rise sharply, with victims publicly named on leak sites expected to climb from 5,010 in 2024 to more than 7,000 by the end of 2026, according to QBE. The jump marks a fivefold increase since 2020, when only 1,412 victims appeared on those sites.
Cyber insurance penetration among SMBs and SMEs remains low. KYND said estimates often place it below 10% in many segments, leaving a clear gap between cyber exposure and protection.
Ben Duffy, VP and head of North America at KYND, said many of these risks are externally visible and relatively easy for attackers to spot. He said the research shows SMB cyber exposure is widespread, measurable, and often preventable.
Duffy said insurers and brokers have an opportunity to pair coverage with practical, data-led cyber risk insight. Better exposure visibility can improve underwriting, reduce friction across the insurance lifecycle, and support stronger cyber resilience among smaller businesses. “There is a clear opportunity for insurers and brokers to play a more proactive role by combining insurance coverage with practical, data-led cyber risk insight”.
Better visibility of exposure can help improve underwriting, reduce friction across the insurance lifecycle, and ultimately support stronger cyber resilience among smaller businesses.
KYND said external cyber risk intelligence could help insurers streamline underwriting as the cyber insurance market grows. It could also help brokers expand SMB cyber portfolios and provide more proactive risk management services to clients.
KYND is encouraging insurers to:
- Use external risk signals to improve underwriting accuracy and portfolio segmentation
- Support SMBs with practical insights to reduce exposure before incidents occur
- Simplify the process of selling and renewing cyber insurance through better data
- Move toward continuous monitoring of cyber risk across insured portfolios.
“Cyber risk is a core business risk for smaller organizations globally,” Duffy added. “By helping businesses better understand and manage that exposure, insurers have an opportunity to create value both for their clients and their own portfolios.”
