A new international survey of 684 employees finds that password reuse, unsanctioned AI tools, and skipped security training are quietly undoing years of investment in cybersecurity technology at small and midsize businesses.

Despite record spending on cybersecurity tools, the biggest vulnerability inside small and midmarket organizations may not be a piece of software at all — it is the people using it. That is the central finding of WatchGuard Technologies’ 2026 Cybersecurity Hygiene Report, an independent survey of 684 employees across the United States, the United Kingdom, Germany, France, Australia, Brazil, Mexico, and Spain, published this week.

According to the report, 76 percent of respondents admit to reusing passwords across multiple accounts at least occasionally, while only 22 percent use multi-factor authentication (MFA) everywhere. That combination, the authors argue, creates an unusually wide credential attack surface: a single leaked password can, in theory, unlock several accounts at once, and without MFA there is often nothing left to stop it. On a more encouraging note, 63 percent of employees say they already use a password manager, and 94 percent report creating complex passwords without being prompted to do so — evidence, the report notes, that tool availability alone does not guarantee safe behavior.

The survey also points to a widening gap between where employees actually work and where corporate security controls were designed to operate. Seventy percent of respondents said they connect to public Wi-Fi for work tasks, but only about a fifth use a VPN or zero-trust network access when doing so. More than half use company devices for personal browsing or online shopping, and nearly a third have left a work device unattended in a public place at some point.

Shadow AI use emerges as one of the report’s starker findings: 64 percent of employees say they use consumer AI tools such as public chatbots for work tasks without formal approval, policy guidance, or oversight from their employer. Compounding the risk, only 61 percent of respondents believe their organization maintains an accurate inventory of the software running across its systems — meaning that for a significant share of companies, this AI usage is essentially invisible until something goes wrong. WatchGuard’s researchers describe shadow AI adoption as “the defining governance gap of 2026.”

Training gaps compound the picture. Nearly one in four employees, 23 percent, say they have never received any phishing or social engineering training, and even among those who have, risky habits persist: 26 percent report opening links or attachments from unknown senders, and only a quarter say they routinely take precautions before clicking a link in an email. Basic protections such as antivirus software are broadly but not universally deployed, with 7 percent of respondents reporting no antivirus coverage on any device.

The report also links personal cyber hygiene to organizational risk. Thirty percent of respondents said they had experienced some form of identity theft in the past year, while only 18 percent back up their data regularly and just 10 percent use a unique password for every account. Because personal and corporate credentials frequently overlap, WatchGuard argues that a compromised personal account can become an entry point into company systems.

Notably, the survey found little correlation between education, seniority, and safer behavior. Nearly half of respondents are aged 30 to 44 and more than three-quarters hold a college degree, yet password reuse and shadow AI adoption remain just as common among this experienced cohort — suggesting, the authors write, that seasoned employees are more likely to build workarounds that favor convenience over compliance.

For IT managers, the report’s authors recommend treating credential security as an infrastructure issue rather than a training one: mandatory password manager rollouts, organization-wide MFA enforcement, and formal AI acceptable-use policies drafted jointly with legal and compliance teams. They also call for continuous phishing simulation in place of annual training sessions, and for extending device and network policy — including MDM, DNS filtering, and always-on VPN — to cover the hybrid environments where employees now actually work.

The report frames these same findings as a commercial opportunity for managed service providers, arguing that MSPs able to quantify a client’s “human risk” and demonstrate measurable improvement over time — such as a falling phishing-simulation click rate — will strengthen client retention. “The cybersecurity challenge facing SMB and midmarket organizations is no longer primarily a technology problem — it is a human behavior problem,” said Marc Laliberte, WatchGuard’s Head of Security Operations, in the report’s closing note. “Fortunately, the controls to protect these organizations exist.”

Editorial note: The survey was commissioned and published by WatchGuard Technologies, a cybersecurity vendor with a commercial interest in the topic; all figures are self-reported by employees and have not been independently verified.

By Jakob Jung

Dr. Jakob Jung is Editor-in-Chief of Security Storage and Channel Germany. He has been working in IT journalism for more than 20 years. His career includes Computer Reseller News, Heise Resale, Informationweek, Techtarget (storage and data center) and ChannelBiz. He also freelances for numerous IT publications, including Computerwoche, Channelpartner, IT-Business, Storage-Insider and ZDnet. His main topics are channel, storage, security, data center, ERP and CRM. Contact via Mail: jakob.jung@security-storage-und-channel-germany.de

Leave a Reply

Your email address will not be published. Required fields are marked *

WordPress Cookie Notice by Real Cookie Banner