Small businesses still get asked the same comforting security question all the time: “Do you use MFA?” It is not a bad question. It is just no longer a sufficient one.

The last few days of security reporting make that pretty clear. On April 20, 2026, CISA added eight more actively exploited vulnerabilities to its Known Exploited Vulnerabilities Catalog. On April 21, 2026, Microsoft published new guidance on detecting identity abuse tied to fraudulent remote IT worker activity across cloud and HR systems. On April 22, 2026, Cisco Talos reported that phishing reemerged as the top initial access vector in its Q1 2026 incident-response work, accounting for more than a third of the engagements where initial access could be determined.

Those are not three unrelated headlines. They describe the same business problem from different angles. Attackers are still getting in through email and phishing, but they are increasingly succeeding by abusing real accounts, trusted workflows, exposed business systems, and post-login blind spots. For founders and operators, that changes what “good enough security” looks like. It also changes what your team should be prepared to say when a prospect, partner, or auditor asks how you protect customer data.

Why the story is shifting from login security to identity operations

For a long time, the default SMB playbook was simple: add MFA, use a password manager, run endpoint protection, and patch when possible. Those things still matter. But the current threat picture is more operational than that.

Microsoft’s April 21 research is a good example. The piece is about fraudulent remote IT workers, but the important lesson is broader. Attackers are not always barging in through one dramatic exploit. Sometimes they are working through legitimate hiring, onboarding, payroll, and identity systems, then blending into normal activity. That means the question is no longer just whether a user authenticated correctly. It is whether the business can detect risky behavior around identity, role assignment, access expansion, and unusual workflow activity after authentication.

Talos’ April 22 report supports the same point from the incident-response side. Phishing is back on top as an entry point, and Talos specifically described a case where an AI-based web application tool was used to generate a credential-harvesting page targeting Microsoft Exchange and Outlook Web Access users. The implication for SMBs is uncomfortable but useful: the barrier to building convincing phishing infrastructure keeps dropping, so prevention alone will not save you. You need layered controls that assume some bad clicks will still happen.

That is why identity hardening is starting to look less like a settings checklist and more like an operating model.

What this means for security questionnaires and buyer trust

This is where a lot of smaller companies get caught flat-footed. They may have decent instincts, but when an enterprise buyer sends over a security questionnaire, the answers are too thin. “Yes, we use MFA.” “Yes, we run updates.” “Yes, we use least privilege where possible.” Those statements are not necessarily false. They are just weak.

Buyers are getting more specific because the threat landscape is getting more specific. They increasingly want to know whether you monitor unusual sign-ins, whether privileged access is separated, whether inbox forwarding and OAuth app risk are reviewed, how quickly high-risk vulnerabilities are remediated, and what happens if identity abuse is suspected. If your security story begins and ends with MFA, it sounds like a small company that has not yet translated security intent into operational controls.

CISA’s April 20 KEV update is a good reminder why that matters. The list included actively exploited issues in products like PaperCut, TeamCity, Quest KACE, Zimbra, and Cisco SD-WAN Manager. That is not just a vulnerability-management story. It is an exposure-management story. If an attacker can hit a reachable system, steal a foothold, and pivot toward credentials or privileged access, your identity posture and your patching posture become the same conversation.

That is exactly what security questionnaires are trying to get at, even when the wording is clumsy. Buyers want evidence that your team can identify risk, assign ownership, act quickly, and explain what happened later.

What practical control implementation looks like now

For most SMBs, the right response is not to build an enterprise-scale SOC. It is to tighten a handful of high-value controls and turn them into repeatable routines.

Start with identity. Admin access should be separate from daily-use accounts. High-risk users in finance, leadership, and operations should have stronger sign-in policy than everyone else. Shared inboxes, mailbox forwarding, OAuth app consent, and password-reset paths deserve more attention than they usually get. If your systems support step-up authentication or context-aware checks after login, use them where business risk is highest.

Then connect that identity layer to vulnerability workflow. When CISA adds new KEVs, someone should know whether your environment is affected, who owns the patch or mitigation, and how exceptions are documented. If a buyer asks how quickly you address actively exploited issues, your answer should come from a real process, not optimism.

Finally, document your controls in buyer language. Not legal language, not vendor marketing language. Plain operational language. Who reviews access. How phishing is handled. What logs are checked. How incidents escalate. What systems are in scope. The goal is not to sound bigger than you are. The goal is to sound like a company that knows how its security actually works.

Why this matters right now

The April 20, April 21, and April 22 updates all point to the same conclusion. Security pressure is moving toward identity, valid accounts, and business workflow abuse. The companies that handle that well will not necessarily be the ones with the most tools. They will be the ones with clearer controls, better ownership, and fewer blind spots after the login succeeds.

For SMBs, that is actually good news. It means meaningful progress is still available without a massive budget. Hardening email and identity, tightening post-authentication checks, running a real vulnerability workflow, and preparing cleaner questionnaire answers can materially improve both security and sales readiness.

If your current security story still leans too heavily on “we turned on MFA,” this is a good week to upgrade the story and the system behind it. Buyers, attackers, and auditors have all moved on. Your controls should too.


Why this matters

This maps directly to GGEZ’s email and identity hardening, practical control implementation, vulnerability management workflows, and security readiness for sales and audits. The immediate value is helping SMBs tighten sign-in policy, reduce post-authentication blind spots, document control ownership, and answer buyer questionnaires with something stronger than generic policy language.

Sources

Need help applying this?

If your team needs practical security help instead of generic checklists, GGEZ can help you harden the basics and organize the work. See the related service area.