Breach Security — Insights

Cyber Essentials vs. HITRUST vs. SOC 2: Which One Do You Actually Need?

support@breachsecurity.io (Jeff O'Connor) — Tue, 30 Jun 2026 09:00:00 -0400

A client asks for “your SOC 2.” A prospect’s vendor questionnaire mentions HITRUST. A partner in the UK mentions Cyber Essentials. All three sound like cybersecurity certifications you might need. They are not the same thing, and most small businesses do not need any of them yet.

This post lays out the differences in plain English: what each one is, who asks for it, what it costs, and what size of business it fits.

The three frameworks in one sentence each¶

UK Cyber Essentials is a UK government-backed baseline cybersecurity certification scheme aimed at small organizations. It covers five technical control areas and is verified by self-assessment or by a one-day external assessment.
HITRUST CSF is a US healthcare-focused, prescriptive control framework with three tiers of certification (e1, i1, r2) that map to HIPAA, NIST, ISO 27001, and several other standards. It is administered by HITRUST Alliance, a private organization.
SOC 2 Type II is an AICPA-defined attestation report produced by a licensed CPA firm, reporting on how a service organization’s controls operated over a 6-to-12-month observation period against the AICPA Trust Services Criteria.

All three are real, all three are credible, and they solve different problems for different audiences.

What each framework actually covers¶

UK Cyber Essentials¶

Launched by the UK National Cyber Security Centre (NCSC) in 2014. The baseline cybersecurity requirement for organizations bidding on UK government contracts that touch personal or technical data. Five technical control areas: firewalls and internet gateways, secure configuration, user access control, malware protection, and security update management.

Two levels: Cyber Essentials (self-assessment, verified by a certifying body) and Cyber Essentials Plus (the same controls plus external technical testing). The self-assessment version is intentionally accessible to small organizations.

It is concrete, technical, and narrow. It does not address governance, risk management, vendor oversight, or incident response. It does not produce an attestation report a customer can read.

HITRUST CSF¶

HITRUST CSF (Common Security Framework) consolidates HIPAA, NIST SP 800-53, ISO 27001, PCI DSS, and several state laws into a single set of testable controls. Most commonly required by large healthcare payers, health systems, and pharma companies of their downstream vendors and business associates.

Three certification tiers as of the 2025 refresh:

e1 (Essentials, 1-year): entry tier, roughly 44 controls
i1 (Implemented, 1-year): intermediate, roughly 180 controls
r2 (Risk-based, 2-year): comprehensive, several hundred controls calibrated to risk factors

Certification is performed by HITRUST-authorized external assessors and produces a formal report and a public listing. It is the dominant security certification in US healthcare-adjacent B2B procurement.

SOC 2 Type II¶

SOC 2 is an attestation, not a certification. A CPA firm registered under the AICPA examines your controls against the Trust Services Criteria (security, availability, processing integrity, confidentiality, privacy; security is mandatory, the rest are selectable). The CPA issues a report.

Type I reports on design at a point in time. Type II reports on design AND operating effectiveness over a 6-to-12-month observation window. Type II is what enterprise customers ask for.

SOC 2 is the dominant security attestation in US B2B SaaS. Almost every mid-market and enterprise software buyer’s security questionnaire asks for it before signing a contract above some threshold.

Who actually asks for each one¶

This is the most important question, because it determines whether you should care.

Cyber Essentials is asked for if¶

You sell to UK government bodies or their prime contractors, you have UK-based clients with formal procurement processes, or you operate primarily in the UK and want a recognized baseline credential.

If you are a US small business that does not sell to UK customers, no US buyer is going to ask for the UK Cyber Essentials scheme. (Worth noting: our paid Cyber Essentials bundle uses the name in a broader sense, referring to a foundational set of 12 written policies. The UK government scheme is separate and narrower. If a US customer asked you for “Cyber Essentials,” confirm which they mean. Nine times out of ten they mean the broader policy set.)

HITRUST is asked for if¶

You are a vendor to large hospital systems, payers, or pharma companies, you handle PHI at scale on behalf of a covered entity, or your customer’s procurement team specifies “HITRUST certified or willing to begin certification within X months.”

HITRUST is rare outside healthcare-adjacent B2B. A 4-person dental practice will never be asked for HITRUST. You are a covered entity yourself, not a vendor. You need HIPAA-aligned documentation, not HITRUST certification.

SOC 2 is asked for if¶

You sell software-as-a-service to mid-market or enterprise US customers, you handle customer data in your cloud (you are a “service organization” in AICPA terms), and your annual contracts are large enough that buyers run formal security reviews (roughly $25K+ ACV is where SOC 2 requests appear routinely).

SOC 2 is the most commonly asked-for credential in US B2B software, and the most expensive and slowest to obtain.

The honest cost picture¶

Real 2025-2026 ranges for small organizations. Orders of magnitude are stable even as exact numbers shift.

Framework                            First-year cost           Timeline
───────────────────────────────────  ────────────────────────  ──────────────
Cyber Essentials (self-assessment)   $400-$800 + ~30h internal  4 to 8 weeks
Cyber Essentials Plus                $2,000-$5,000 + ~60h       8 to 12 weeks
HITRUST e1                           $25,000-$50,000            4 to 6 months
HITRUST i1                           $50,000-$120,000           6 to 9 months
HITRUST r2                           $150,000-$500,000+         9 to 18 months
SOC 2 Type II (small org)            $25,000-$75,000            9 to 14 months

These are not list prices; they are what small organizations actually spend after readiness work, tooling, and the CPA or assessor invoice. A 5-person SaaS startup chasing SOC 2 should plan on 6 months of meaningful internal effort and around $40K of cash out the door. A solo dental practice does not need any of these.

When SMBs actually need each one¶

A direct read.

You need Cyber Essentials if¶

You sell to UK customers who explicitly ask for it. Otherwise, no.

You need HITRUST if¶

A major healthcare customer has told you in writing that they will not renew or expand the contract without it. Pursuing HITRUST speculatively before that demand exists is a waste of small-business capital.

You need SOC 2 if¶

You are losing deals because mid-market or enterprise prospects’ procurement teams cite the lack of a SOC 2 report. Specifically, the lack of it has cost you at least one named deal in the last 12 months, or two of the next 12 months’ largest prospective deals will require it. If neither is true, you are not ready to invest yet.

You need NONE of these if¶

You are a sub-50-person business serving small business customers, no one has asked you for any of these credentials, and your immediate goal is satisfying a cyber insurance application or onboarding a new healthcare client (where HIPAA-aligned policies, not a HITRUST report, are what gets asked for).

This is the most common honest answer and the hardest to sell, because compliance vendors do not make money telling you to wait. Most 5-to-25-person businesses do not need any of these three frameworks. They need written policies mapped to recognized standards (NIST CSF, ISO 27001, CIS Controls), an annual risk assessment, and evidence of basic security hygiene. That foundation is what underwriters, healthcare clients, and most B2B buyers will accept until you grow into formal certification.

The decision tree¶

A three-question version:

Is a customer or insurer demanding a specific framework in writing? If yes, pursue that one. If no, go to question 2.
Are you losing real deals because of the absence of a security credential? If yes, the credential the buyers cite is the one worth pursuing. If no, go to question 3.
Are your existing written policies good enough to pass a cyber insurance application and a standard customer security questionnaire? If yes, that is your priority for the next 12 months. If no, fix the policies first. Frameworks come after.

Most SMBs end at question 3.

If you want help figuring out where you are¶

This is genuinely consulting work, not a product-shaped problem. Email support@breachsecurity.io with three things:

What your business does and roughly how many employees you have
What credential or document a customer or insurer has actually asked you for (paste the email if possible)
What you already have in place (policies, prior audits, certifications)

We will reply with a recommendation. Sometimes it is “you need our Cyber Essentials bundle, here is why.” Sometimes it is “you should start a SOC 2 readiness engagement with a CPA firm, here are three we have worked with.” Sometimes it is “you do not need to spend money on any of this for the next 18 months, focus on revenue.” We will tell you which one you are.

The 7 Cybersecurity Policies Your Insurance Broker Won't Tell You You Need

support@breachsecurity.io (Jeff O'Connor) — Tue, 30 Jun 2026 09:00:00 -0400

Your cyber insurance broker probably ran you through five questions on the last renewal call. Acceptable Use Policy. MFA. Backups. Phishing training. Incident response plan. You said yes or “we’re working on it” to all five, and the policy bound.

What the broker did not tell you is that the underwriter who wrote that quote was looking at a list of 7 to 12 documents, not 5. The missing items did not stop binding this year. They will show up on the next major claim or the next hardening of the questionnaire.

This is not a knock on brokers. The good ones know exactly what underwriters want. Most operate at scale across many carriers and surface only the requirements that block binding. The additional policies underwriters look for during deeper review, particularly at higher limits and at claim time, often do not come up.

Here are the 5 to 8 policies typically missing from the short list, why each one matters, and what they cost to put in place.

The 7 that are usually missing¶

1. Information Security Policy (the parent document)¶

The Acceptable Use Policy governs employee behavior. The Information Security Policy governs the organization. It states the company’s posture on information confidentiality, integrity, and availability, names the person accountable (in a 5-person business, that is usually the owner), and references the supporting policies.

Underwriters care because the NAIC Insurance Data Security Model Law (MDL-668), which 25 states had adopted as of early 2026, obligates insurers to verify that their insureds maintain a written information security program. The Acceptable Use Policy alone does not satisfy that test. The parent policy does.

When this matters: at any policy renewal where the carrier has tightened its questionnaire (which most carriers have done in 2024-2026), the underwriter will ask for this by name. Brokers typically do not mention it because it does not appear on the binding checklist.

2. Password and MFA Policy (the written version)¶

Most underwriters now ask whether MFA is in place. Fewer ask whether the use of MFA is documented in a written policy. The control without the policy passes binding. The policy is what gets asked for at claim time, when the carrier is reconstructing what controls were in place when the breach happened. If your only evidence is “we always required MFA,” the adjuster has to take your word for it. A written policy that predates the incident and is referenced in your onboarding documentation is much stronger.

The standards to reference are NIST SP 800-63B and CIS Control 6.

3. Vendor and Third-Party Risk Policy¶

Supply chain is now a top-three source of cyber loss for small businesses. The steady run of MSP and software-supplier compromises since the 2020-2021 SolarWinds incident has made vendor oversight a standard underwriting topic.

Underwriters at higher coverage tiers ($2M and up) will ask how you vet vendors, what controls you require of them, and how you reassess annually. NIST SP 800-161 and CIS Control 15 are the standards to anchor to.

Small business owners often resist this one because they do not feel they have “vendors.” You do. Your accountant, your IT contractor, your cloud backup provider, your practice management system vendor, your payroll service. A 2-page policy that names who is responsible for vendor reviews and what the review covers is enough.

4. Data Retention and Destruction Policy¶

Breach notification cost is dominated by how much sensitive data sat in your environment when the breach happened. If you retain customer or employee records indefinitely because nobody set a retention schedule, your notification cost and litigation exposure are both larger than they need to be.

State privacy laws (CCPA, CPRA, Virginia’s CDPA, Texas DPDPA, the growing list) increasingly require data minimization. NIST SP 800-88 is the destruction standard for media sanitization. A 2-to-3-page policy specifying how long each data category lives and how it is destroyed is what underwriters want to see.

5. Remote Work or Telework Policy¶

If anyone in your company works from outside the office even part-time, you need this. The policy covers home-network minimums (WPA2 or better WiFi, default router credentials changed), VPN or zero-trust access, public WiFi rules, and basic physical workspace security. CISA’s telework guidance is the reference. For fully remote or hybrid businesses, this is non-optional at binding.

6. Mobile Device Management Policy (separate from BYOD)¶

The policy for company-owned devices, distinct from BYOD. If you issue company laptops, phones, or tablets, you need a written policy covering inventory, OS update enforcement, encryption, lost or stolen device reporting, and return-at-offboarding. NIST SP 800-124 and CIS Control 4 are the references. Underwriters at mid-market and above want both BYOD and MDM. Having one without the other is a visible gap.

7. Onboarding and Offboarding Policy¶

The single most-cited control failure in post-breach forensics: a terminated employee whose access was not revoked. Insurers know this. Most carriers ask whether you have a documented offboarding checklist.

The policy is short. It names what access (email, cloud accounts, VPN, shared passwords) gets revoked on the employee’s last day, who executes each revocation, and how asset return is documented. ISO 27001 A.6.5 and CIS Control 6 are the anchors. Smaller businesses skip this because turnover is rare. The first contested separation makes the absence very tangible.

What this means for your renewal¶

If you have the 5 your broker asked about plus the 7 above, you are at 12 documents. That is the upper end of what underwriters require for SMB cyber. With those 12, you can answer any standard questionnaire honestly with yes, and most carriers will quote you favorably.

If you have 5 of the 12, you are in the average position. Your policy will bind at most carriers, but you will be at the higher end of pricing for your risk class and you will have known gaps at claim time.

If you have 0 or 1 written documents, your carrier options are narrowing year over year. The hard cyber market has not fully reversed, and carriers are increasingly comfortable declining to quote uncontrolled risks.

What this costs to fix¶

A traditional consulting engagement to draft all 12 policies for a small business runs $5,000 to $15,000 and takes 6 to 10 weeks. Generic template kits are cheaper but will not survive underwriter review because they will not cite the regulatory anchors (NIST CSF, ISO 27001, CIS Controls) underwriters are trained to scan for.

We built Cyber Essentials specifically for this gap. The Full Pack covers all 12 policies on this list, custom-built for your business at intake, reviewed and signed, for $1,799. The Bundle of 5 is $999 if you only need to fill specific gaps. Individual policies are $299 each.

For SMB owners reading this: Browse the Cyber Essentials bundle at /shop/cyber-essentials/

If you are not sure which policies you are missing, email support@breachsecurity.io with a copy of your most recent cyber insurance application or questionnaire. We will tell you which of the 12 you have, which you are missing, and which tier (single policy, bundle of 5, or full pack) actually fits your gap. Sometimes it is just two policies. Sometimes it is the full set. We will say so honestly.

A note for cyber insurance brokers¶

If you are a commercial cyber broker reading this, you already know underwriters want 7 to 12 documents. The friction is that your clients usually do not have them, renewal timelines are too short to draft properly, and $5K-$15K consulting referrals are a hard ask for a 10-person business.

We run a referral partnership program: 15-20% commission on the first sale (tiered by package), Net 30, white-label option, and a co-branded one-pager you can drop into your renewal-prep emails. The Bundle of 5 at $999 or Full Pack at $1,799 is what most renewing clients can absorb in their compliance budget.

Email support@breachsecurity.io from your brokerage email and we will send the partner one-pager, referral agreement, and a calendar link.

The SEC Cyber Disclosure Cascade: Why Your Enterprise Client Just Sent You a 40-Page Security Questionnaire

support@breachsecurity.io (Jeff O'Connor) — Tue, 07 Jul 2026 09:00:00 -0400

If you sell to public companies and you have not been hit by a giant security questionnaire in the last 18 months, you will be. If you have, you know the pattern: 200 to 600 questions, three weeks to respond, written by someone in third-party risk management who has never met your company.

The questionnaires are not a fluke and they are not going to shrink. They are the downstream effect of an SEC rule that took effect in late 2023, and the cascade has not finished propagating. This post walks through what the SEC required, how public companies translated it into vendor questionnaires, why they keep getting longer, and what an SMB should do.

What the SEC actually required¶

In July 2023 the SEC adopted final rules on cybersecurity risk management, strategy, governance, and incident disclosure. The two pieces SMB owners need to know by name:

Item 1.05 of Form 8-K: incident disclosure¶

Public companies must disclose a material cybersecurity incident on Form 8-K within four business days of determining the incident is material. The disclosure must describe nature, scope, timing, and material impact (or reasonably likely material impact). There is a narrow national security carve-out coordinated with the US Attorney General.

The word that matters is “material.” Companies do not have four business days from discovery. They have four business days from the materiality determination, which must be made without unreasonable delay. The SEC has signaled it will second-guess foot-dragging on that determination.

Regulation S-K Item 106: annual governance disclosure¶

Codified at 17 CFR § 229.106. Public companies must describe in their annual 10-K filings:

Their processes for assessing, identifying, and managing material cybersecurity risks
Whether and how those processes are integrated into overall risk management
Whether they engage third-party assessors, consultants, or auditors on cybersecurity
Their oversight of cybersecurity risks from their use of third-party service providers (vendors)
The board’s oversight of cybersecurity, including which committee handles it
Management’s role and expertise in assessing and managing material cybersecurity risks

That fourth bullet is where SMB vendors enter the story.

The 2024 and 2025 fiscal years were the first two annual cycles under Item 106. Investors, plaintiff lawyers, and regulators are reading the disclosures. Each year’s disclosure sets the floor for the next.

How public companies translate this into vendor questionnaires¶

A public company subject to Item 106 cannot honestly disclose “we oversee third-party cybersecurity risk” without an actual program. The cheapest, most legally defensible program is a vendor questionnaire pipeline plus contractual security addenda. Hence the questionnaires hitting SMB inboxes.

The translation:

The TPRM (third-party risk management) team builds or licenses a questionnaire (often SIG, SIG Lite, CAIQ, or a custom one).
It is sent to every vendor at onboarding and periodically (usually annual for high-risk vendors).
Responses are scored and used as the evidence record for the Item 106 disclosure.
If a vendor breaches and the public company suffers a material incident, the questionnaire history is the public company’s defense at the SEC, in litigation, and to its own board.

A 40-question questionnaire is harder to defend in deposition than a 400-question one. The legal team optimizes for defensibility; the SMB vendor pays the cost.

Why the questionnaires are getting longer, not shorter¶

2024 saw credible predictions that the industry would standardize and shrink. Standardization happened, somewhat. Shrinkage did not.

Three reasons:

1. Each enforcement action ratchets the floor¶

SEC enforcement actions since 2024 have set the precedent that vague governance disclosures attract scrutiny. The SolarWinds case (filed October 2023, partially dismissed in 2024 with certain claims proceeding) put public companies on notice that their cybersecurity statements would be litigated. Each subsequent action becomes a footnote in the next questionnaire iteration.

2. AI and supply-chain incidents added question categories¶

2024 and 2025 saw rapid AI adoption, third-party LLM integration, and several headline-grade supply-chain incidents. Each became a new section (AI governance, model risk, software bill of materials, supplier breach notification). Sections get added; they almost never get removed.

3. State and sectoral rules layered on top¶

NYDFS Part 500 amendments, FTC Safeguards Rule updates, NAIC Insurance Data Security Model Law adoptions, and state privacy laws all added control expectations. Public companies operating across jurisdictions ask one questionnaire that covers all of them.

The trajectory through 2026-2028 is for questionnaires to keep inflating, with SIG/CAIQ adding versions annually.

What an SMB vendor should actually do¶

When a 400-question SIG lands in your inbox, the natural reactions are to panic-fill or stall. Both are mistakes. Triage instead.

Triage rule 1: not every questionnaire is worth answering¶

A questionnaire from your largest client representing $500K of annual revenue is worth 40 hours of work. One from a prospect who has not signed anything and is “evaluating vendors” is worth zero. Ask which it is before committing time. The signal: is there an executed contract, NDA, or PO? If not, the questionnaire may be a polite stall.

Triage rule 2: bucket the questions¶

The first pass takes an hour or two. Most questions fall into three buckets:

Yes/no where the honest answer is yes (MFA, written policies, encryption at rest). Answer immediately.
Yes/no where the honest answer is no (SOC 2 Type II, dedicated CISO, formal threat modeling). Answer honestly and write one sentence on the compensating control or roadmap.
Essay questions requiring new policy or evidence (full incident response plan, vendor risk policy, data classification). These take real time.

Most questionnaires have 60-75% of questions in the first two buckets. The third bucket is where your written policies, if you have them, save the most time.

Triage rule 3: know when to push back¶

Some questions are inappropriate for your size. A SIG question asking for the name of your CISO when you are a 12-person company is not asking for a lie. It is asking who is accountable for security. The right answer is “the owner, Jane Smith, who holds equivalent functional responsibility.” Use the comment field. Do not check no and walk away.

If a TPRM team rejects a substantively answered questionnaire on size-inappropriate grounds, that is a signal the buyer does not actually want SMB vendors. Better to know now.

Triage rule 4: build the artifacts once, reuse them¶

Every questionnaire asks for the same 12-15 documents in different orders. Information Security Policy, Acceptable Use Policy, Incident Response Plan, Vendor Risk Policy, Data Retention Policy, Business Continuity Plan, Backup Policy, BYOD Policy, Onboarding/Offboarding, Access Control, Encryption Standards, Patch Management, Risk Assessment, SOC 2 if applicable, list of subprocessors.

Written down once, every future questionnaire is mostly a routing exercise. Otherwise every one is a fresh marathon.

(Many of these questionnaires map cleanly to our Cyber Essentials bundle, but the deeper answer is governance, not paperwork.)

What an SMB should not do¶

Lie. Lying on a vendor questionnaire is grounds for contract termination and, depending on the contract, indemnification claims if the public company later suffers an incident attributable to the misrepresented control. Buyers respect honest no answers with compensating-control explanations. They do not respect yes answers that turn out to be no in forensics.

Buy a SOC 2 Type II because one questionnaire asks for it. A SOC 2 is a $40K to $100K commitment with a 12-month observation window. Do it because you have a sustained pipeline of clients asking for it. SOC 2 Type I, Cyber Essentials Plus, or HITRUST e1 are cheaper signals that may satisfy the buyer.

Outsource answers to a generic compliance consultant who does not know your business. The questionnaire is asking what your controls actually are. Answers that sound right will fall apart on follow-up calls. Someone inside the company who knows what is true must sign off on the final responses.

What to actually do this quarter¶

If you serve public-company clients, write down the 12-15 core policies once. The next questionnaire becomes a copy-paste exercise.
Triage every incoming questionnaire by economic commitment before you commit response time.
Answer no honestly where it is no. Use the comment field for compensating controls.
If you have no written policies and a questionnaire is in your inbox right now, prioritize the four that show up everywhere: Information Security Policy, Acceptable Use Policy, Incident Response Plan, Vendor Risk Policy. Those four cover roughly 40% of the typical questionnaire by question count.
Set an internal threshold for the revenue at which you will pursue a SOC 2 or equivalent. That number usually starts mattering between $500K and $2M of public-company-segment revenue.

The cascade is not slowing down. The questionnaires will keep arriving and keep getting longer. The SMBs that come out of this in the strongest position are the ones who built the policy foundation once, treated the questionnaires as sales qualification rather than panic, and were willing to say no clearly when a control was not in place.

Post-Quantum Cryptography: What SMBs Should Be Thinking About Before 2030

support@breachsecurity.io (Jeff O'Connor) — Tue, 07 Jul 2026 09:00:00 -0400

In August 2024, NIST finalized the first three post-quantum cryptographic standards: FIPS 203 (ML-KEM, formerly Kyber), FIPS 204 (ML-DSA, formerly Dilithium), and FIPS 205 (SLH-DSA, formerly SPHINCS+). These are the algorithms federal systems will migrate to over the rest of the decade, and which everything downstream of federal systems will eventually follow.

If you run a small business, three reactions are reasonable:

“I have no idea what any of those acronyms mean and I do not have time to care.”
“Cool, but quantum computers that break RSA are 15 years away. I will deal with it then.”
“I have been reading about this. Should I be doing something now?”

The honest 2026 answer for SMBs is somewhere between reactions two and three. You do not need to panic-buy anything. You should also not assume this is a 2040 problem. The migration is already underway in the parts of the stack you depend on, harvest-now-decrypt-later is real for some data today, and enterprise clients will eventually ask what you are doing about it.

What the threat actually is, in plain English¶

Modern internet security depends on a small set of public-key algorithms, mostly RSA and elliptic-curve cryptography (ECC). They are secure against any computer we currently know how to build because the underlying math (factoring large numbers, computing discrete logs on elliptic curves) takes impractical time on classical hardware.

A sufficiently large fault-tolerant quantum computer can run Shor’s algorithm, which solves both problems in polynomial time. A real cryptographically relevant quantum computer (CRQC, the term in NIST and CISA documents) would break RSA and ECC. TLS, VPNs, email encryption, code signing, software updates, the certificates securing your bank’s website, and a long list of other things would all need new algorithms.

The post-quantum algorithms NIST finalized are designed to resist both classical and quantum attacks. They rest on different math (lattice problems for ML-KEM and ML-DSA, hash-based signatures for SLH-DSA) with no known efficient quantum attack.

Quantum computers will eventually break the math we currently rely on. We have new math they cannot break. The remaining question is timing.

Why “10 years away” is misleading¶

The standard SMB-owner reaction is “great, deal with it when it happens.” The reason that is the wrong frame is a concept called harvest-now-decrypt-later (HNDL).

An attacker who captures encrypted traffic today and stores it does not need a quantum computer today to threaten you. They need one eventually. When a CRQC becomes available, every captured ciphertext from years prior becomes decryptable retroactively. Whether that matters depends entirely on the shelf life of the data.

The Mosca inequality, named after cryptographer Michele Mosca, is the standard framing: if the time you need data to remain confidential plus the time to migrate your systems is longer than the time until a CRQC exists, you are already exposed. Most SMB data has a short confidentiality window (a credit card number is useless after the card is reissued). Some does not: trade secrets, employee health records, attorney-client communications, M&A discussions, anything covered by long-tail regulatory retention.

The point of HNDL is not that quantum is imminent. It is that for a narrow class of long-lived sensitive data, the migration deadline is sooner than the CRQC deadline. For everything else, you have time.

What is already happening (you may not have noticed)¶

The interesting fact about post-quantum migration in 2026 is how much of it is already in flight without most users seeing it.

Browsers and TLS: Chrome enabled a hybrid post-quantum key exchange (X25519MLKEM768) by default for TLS 1.3 in 2024. Firefox followed. By 2026, a meaningful share of HTTPS connections from major browsers are already protected by hybrid key exchange that resists future quantum decryption. You did not have to do anything to get this.
OS vendors: Apple introduced PQ3 for iMessage in early 2024, a hybrid post-quantum messaging protocol. Microsoft, Google, and AWS have all announced PQC roadmaps.
Certificate authorities: CA/Browser Forum working drafts on PQC certificate timelines exist. Production rollout is conservative because certificate ecosystems take years to migrate, but the planning is public.
NIST and CISA guidance: NIST has published IR 8547 and IR 8413 on PQC migration planning. CISA’s Post-Quantum Cryptography Initiative is the federal coordination point. Federal agencies must inventory cryptographic systems and prepare migration plans under NSM-10 (May 2022).
Federal procurement: Vendors who sell to the federal government are now subject to PQC requirements that will appear in solicitations over 2026-2030. Those vendors pass requirements down to their suppliers. Some of those suppliers are small businesses.

What this means for an SMB is that you are mostly a consumer of cryptography, not a producer of it. The libraries, browsers, OSes, and cloud platforms you depend on are migrating. Your job is to know which of your vendors are doing the work, and to be ready when customers start asking.

What an SMB should actually do in 2026¶

The temptation is to recommend a 12-step crypto-agility program. For most SMBs that is overkill. Here is the actual short list.

Step 1: Inventory where you rely on cryptography¶

You do not need a cryptographic bill of materials at the byte level. You need a one-page list of the systems where the integrity or confidentiality of long-lived data matters. Examples:

Email and file storage (especially anything with retention obligations longer than five years)
VPNs and remote-access tools
Backup systems and the encryption-at-rest of those backups
Code signing if you ship software
Anything covered by HIPAA, attorney-client privilege, or trade-secret protection

For each, note the vendor and the rough sensitivity window. That is your starting inventory.

Step 2: Identify your HNDL exposure honestly¶

For each item on the inventory, ask: if this data were captured today and decrypted in 2032 or 2035, would that matter?

For most SMB data, the honest answer is no. Operational emails about quarterly logistics will not matter. For a healthcare practice’s patient records, an attorney’s case files, or an engineering firm’s IP, the answer may be yes. Concentrate the rest of the program on the small subset where the answer is yes.

Step 3: Monitor vendor roadmaps, do not panic-buy¶

Ask your major vendors, especially those handling long-lived sensitive data, what their PQC roadmap is. Most will not have an answer in 2026. By 2027-2028 most should. Two reasonable questions to send your top three vendors via email this quarter:

“What is your post-quantum cryptography migration plan?”
“Will I receive a notification when PQC-protected versions of your service become available?”

You are not demanding action. You are signaling that you are paying attention. Vendors prioritize what their customers ask about.

Step 4: Do not roll your own PQC anything¶

The PQC algorithms are new, implementations are still maturing, and side-channel attacks on early implementations are an active research area. Hybrid modes (classical + PQC together) are the responsible deployment pattern through at least the late 2020s because they fail safe against both quantum attacks and bugs in the new algorithms.

In practice: take what your browsers, OS, and cloud platforms ship. Do not build a custom PQC tunnel because you read a HackerNews post. The right time to adopt PQC in your own stack is when your platform vendor ships it with a “use this” recommendation.

Step 5: Update your written information security policy when the vendor wave hits¶

Sometime in 2027-2029, expect cyber insurance questionnaires, vendor security questionnaires, and possibly regulatory frameworks to start asking about cryptographic agility and PQC readiness. Your written information security policy should have a paragraph acknowledging the PQC transition, naming the standards you follow (FIPS 203/204/205), and pointing to a migration approach (mostly “we use vendor-provided PQC capabilities as they become available”). This will eventually become a line item in our Cyber Essentials suite as the policies catch up to the standards.

What I would ignore for now¶

PQC “drop-in replacement” pitches aimed at SMBs. The 2026 migration is happening at the platform layer, not at the SMB purchase layer. If a vendor is selling you a $25,000/year PQC product as a small business, they are either confused about the threat shape or hoping you are.

Doom-cycle headlines about Chinese or US quantum breakthroughs. Progress is real but slow. Public estimates for a CRQC capable of breaking RSA-2048 still cluster in the early to mid 2030s, with credible uncertainty in both directions. If that picture genuinely changes, it will be front-page news.

What to actually do this quarter¶

Spend 30 minutes producing the one-page inventory in Step 1 above.
Be honest with yourself about which 2-3 items on it have a real harvest-now-decrypt-later exposure.
Email your top three vendors (email provider, backup provider, primary line-of-business platform) and ask the two questions in Step 3.
Add one line to your written information security policy acknowledging the PQC transition and naming FIPS 203, FIPS 204, FIPS 205 as the standards you will follow.
Set a calendar reminder for Q3 2027 to revisit this. The vendor landscape will look different by then and you will want to refresh the inventory.

That is the entire 2026 program for a normal SMB. It is small because the migration is largely happening above your level. The discipline is to know that it is happening, to know which of your data actually has long-tail exposure, and to be ready to answer the question when your enterprise clients eventually ask it.

AI Voice-Cloning Attacks on Small Businesses: What's Actually Happening in 2026

support@breachsecurity.io (Jeff O'Connor) — Tue, 07 Jul 2026 09:00:00 -0400

Three years ago, cloning a voice well enough to fool a coworker required a research lab, hours of clean audio, and a GPU cluster. In 2026, it requires a free trial of a commercial speech model, about thirty seconds of audio scraped from a LinkedIn video, and a phone.

That is the change. Voice cloning crossed the line from research demo to commodity attack tool in late 2023 and has stayed there. Headlines have done a poor job separating the cases that actually happened from speculative writeups, so this post walks through what is documented, how the attacks unfold against a small business, and what defenses hold up.

Upfront: most small businesses are over-buying “AI deepfake detection” products and under-investing in the boring callback procedures that have always defeated wire fraud. The defense story has not changed as much as the threat story.

What is actually documented¶

A handful of real incidents have set the public narrative. They get cited in every vendor pitch deck, so it is worth knowing what each one actually proves.

Arup, February 2024 (Hong Kong)¶

The Arup case is the largest publicly reported AI-assisted fraud against a single company to date. A finance staffer in Arup’s Hong Kong office transferred roughly $25 million across multiple wires after attending a video conference with what appeared to be the company’s CFO and several colleagues. Every other “person” on the call was a deepfake video and synthesized voice. Hong Kong police confirmed the fraud in May 2024.

What it proves: video and voice can both be synthesized convincingly enough to defeat a multi-person video call when the attacker has done reconnaissance and the target has no out-of-band verification step.

What it does not prove: that this technique is being used at scale against small businesses. Arup was a $2.5 billion engineering firm and the attackers invested serious effort. The Arup attack is the high-end case study, not the median.

The 2024-2026 BEC voice-clone wave¶

More relevant to small businesses is the broader pattern documented by the FBI’s IC3, the FTC, and CISA during 2024-2025. BEC (business email compromise) attacks are increasingly supplemented with a follow-up call in which the voice sounds like the CEO, CFO, or a known vendor contact.

The pattern repeats: a spoofed or compromised email instructs a finance staffer to change payment instructions or expedite a wire, and the “confirmation call” they place is intercepted, or an inbound call arrives with a cloned voice pressing urgency. Per-incident losses on the SMB side typically run $30,000 to $400,000.

This is the threat shape that matters for SMBs. Not a live deepfake on a Zoom call. A 45-second voicemail or live call that sounds enough like the boss to get a junior employee to push through a payment change.

The MGM Resorts attack in September 2023 is often cited in the AI-voice conversation, but be careful. The publicly reported entry vector was a vishing call to an IT help desk in which the attacker impersonated an employee to get a password reset, using a regular human voice and social engineering, not an AI clone.

It is worth mentioning for the hybrid pattern. Groups operating in 2024-2026 (Scattered Spider is the most associated with this technique) routinely combine LinkedIn reconnaissance, pretexting, and live vishing against help desks. AI voice cloning is now showing up as one more tool in that toolkit.

How the attack unfolds against an SMB¶

The pattern is consistent enough across reported cases that you can almost script it.

Step 1: Reconnaissance. The attacker identifies the target, the owner, and a finance employee. LinkedIn, the company website, podcasts, and YouTube videos are the source material. Thirty seconds of clean audio is enough for a commercial voice model.

Step 2: Setup. The attacker compromises or spoofs an email account, sometimes a real one (credential theft, missing MFA), sometimes a lookalike domain (yourcompany-co.com instead of yourcompany.com).

Step 3: Trigger. An email arrives during a busy moment: payroll week, a vendor invoice cycle, a real travel period for the owner. It asks for an urgent payment change, a new wire, or an expedited check.

Step 4: Voice confirmation. If the employee tries to verify, the call either reaches the attacker (the number in the email is the attacker’s) or an inbound call arrives from a spoofed number with what sounds like the owner’s voice.

Step 5: Payment goes out. Money moves to a mule account, typically converted to crypto within hours, often unrecoverable.

The technical sophistication of the voice clone is rarely the deciding factor. Whether the employee paused to verify through a known-good channel is.

Defenses that actually hold up¶

There is a real product category emerging around AI deepfake detection: tools that analyze audio for synthetic artifacts and flag suspicious calls. Some of these will get better. None of them are reliable enough today to be your primary control, and I would rank them well below the basics on any 2026 SMB budget.

What does hold up:

Multi-channel verification for any financial change¶

The single highest-leverage control. Any request to change payment instructions, add a new payee, or send a wire above a documented threshold gets verified through a second, independent channel. If the request came by email, confirm by phone using a number from your address book, not the number in the email. If by phone, confirm by text or in person.

This is not new advice. It is what the FBI has recommended for BEC since 2015. It defeats AI voice cloning for the same reason it defeated email impersonation: it removes the attacker’s ability to control both sides of the conversation.

Callback protocols with a verification phrase¶

A step further: maintain pre-agreed callback numbers for key personnel and key vendors, paired with a verification phrase that only the real person would know, rotated periodically. If you are wiring six figures based on a phone call, “what is the phrase” should be a step in the script. Awkward is the point. The friction is the defense.

MFA on payment-change requests, not just logins¶

Most SMBs treat MFA as a login control. The higher-impact use is requiring MFA-style approval (a push notification, a hardware key tap, a second-person acknowledgment) on any change to payment instructions in your accounting system, payroll provider, or banking portal. Most major providers offer dual-approval workflows; most small businesses have them disabled.

Employee awareness training that includes audio examples¶

Generic phishing training rarely includes voice. Update annual training to include real samples of AI-cloned voices. The goal is not for employees to detect a fake voice (they often cannot). The goal is for them to recognize that “urgent payment change confirmed by a phone call” is the attack pattern, regardless of whose voice is on the line.

Reduce the public audio footprint where you can¶

If your voice is not already extensively public, think twice before the marketing video that puts thirty seconds of clean audio online. This is not a recommendation to go silent. It is a recommendation to know what you are paying in attack-surface terms for each piece of public content.

(Our Incident Response Policy module covers the callback-protocol playbook in detail.)

What I would not spend money on yet¶

AI voice detection software at the consumer or SMB price tier. The tools that exist in 2026 either produce too many false positives to be operationally useful or work only after the fact on recorded audio, by which point the wire is gone. Enterprise call-center vendors have better integrations, but those products are not priced for SMB. The accuracy curves will improve. They are not where 2026 budget belongs.

Generic “AI security” products without a specific stated control. If a vendor cannot tell you in one sentence what attack they prevent and how, the product is brochure-ware.

What to actually do this quarter¶

Write a payment-change verification policy requiring a callback on a known-good number for any change to wire instructions, ACH instructions, or new payees. Pick a concrete threshold (often $1,000 is the right floor).
Pick a verification phrase for the small set of people authorized to direct large transfers. Rotate it quarterly. Make sure your bookkeeper and your bank have it.
Turn on dual-approval workflows in your accounting system, payroll provider, and banking portal. They are almost always available and almost always off by default.
Add one real AI-voice example to your next employee training. CISA, IC3, and FTC consumer alerts have public examples.
Audit your own public audio footprint. You do not need to delete anything. Just know what is out there.

The defense story for 2026 is not new technology. It is the steady reinforcement of out-of-band verification, written down, practiced, and built into the workflow before an urgent-sounding voicemail makes it feel inconvenient.

Breach Security — Insights

Cyber Essentials vs. HITRUST vs. SOC 2: Which One Do You Actually Need?

The three frameworks in one sentence each¶

What each framework actually covers¶

UK Cyber Essentials¶

HITRUST CSF¶

SOC 2 Type II¶

Who actually asks for each one¶

Cyber Essentials is asked for if¶

HITRUST is asked for if¶

SOC 2 is asked for if¶

The honest cost picture¶

When SMBs actually need each one¶

You need Cyber Essentials if¶

You need HITRUST if¶

You need SOC 2 if¶

You need NONE of these if¶

The decision tree¶

If you want help figuring out where you are¶

The 7 Cybersecurity Policies Your Insurance Broker Won't Tell You You Need

The 7 that are usually missing¶

1. Information Security Policy (the parent document)¶

2. Password and MFA Policy (the written version)¶

3. Vendor and Third-Party Risk Policy¶

4. Data Retention and Destruction Policy¶

5. Remote Work or Telework Policy¶

6. Mobile Device Management Policy (separate from BYOD)¶

7. Onboarding and Offboarding Policy¶

What this means for your renewal¶

What this costs to fix¶

A note for cyber insurance brokers¶

The SEC Cyber Disclosure Cascade: Why Your Enterprise Client Just Sent You a 40-Page Security Questionnaire

What the SEC actually required¶

Item 1.05 of Form 8-K: incident disclosure¶

Regulation S-K Item 106: annual governance disclosure¶

How public companies translate this into vendor questionnaires¶

Why the questionnaires are getting longer, not shorter¶

1. Each enforcement action ratchets the floor¶

2. AI and supply-chain incidents added question categories¶

3. State and sectoral rules layered on top¶

What an SMB vendor should actually do¶

Triage rule 1: not every questionnaire is worth answering¶

Triage rule 2: bucket the questions¶

Triage rule 3: know when to push back¶

Triage rule 4: build the artifacts once, reuse them¶

What an SMB should not do¶

What to actually do this quarter¶

Post-Quantum Cryptography: What SMBs Should Be Thinking About Before 2030

What the threat actually is, in plain English¶

Why “10 years away” is misleading¶

What is already happening (you may not have noticed)¶

What an SMB should actually do in 2026¶

Step 1: Inventory where you rely on cryptography¶

Step 2: Identify your HNDL exposure honestly¶

Step 3: Monitor vendor roadmaps, do not panic-buy¶

Step 4: Do not roll your own PQC anything¶

Step 5: Update your written information security policy when the vendor wave hits¶

What I would ignore for now¶

What to actually do this quarter¶

AI Voice-Cloning Attacks on Small Businesses: What's Actually Happening in 2026

What is actually documented¶

Arup, February 2024 (Hong Kong)¶

The 2024-2026 BEC voice-clone wave¶

MGM-style hybrid social engineering (2023-2025)¶

How the attack unfolds against an SMB¶

Defenses that actually hold up¶

Multi-channel verification for any financial change¶

Callback protocols with a verification phrase¶

MFA on payment-change requests, not just logins¶

Employee awareness training that includes audio examples¶

Reduce the public audio footprint where you can¶

What I would not spend money on yet¶

What to actually do this quarter¶