Free practical cybersecurity guidance for organisations without a security team.
hello@actionsoncyber.com
Actions On Cyber

Daily SMB Cyber Intelligence Brief

Today’s SMB cyber lookout: network edge supplier risk, ‘urgent patch’ lures, and careful use of agentic AI

What small and medium-sized businesses should look out for today.

High Saturday 16 May 2026, 16:40 UK time
Today’s look-out: Supplier / SaaS & network edge risk plus ‘urgent security update’ phishing

What to look out for today

1) Network edge / remote network management systems being targeted (especially SD-WAN controllers/managers). If you outsource networking or have multiple sites, your “internet edge” and its management console is a high-value target.

2) “Urgent patch” and “IT support” messages leveraging headlines about Windows 11 / Exchange being hacked at security competitions. Expect more convincing emails/calls pushing staff to “install updates”, “approve admin access”, or “re-enter Microsoft passwords”.

3) Pressure to adopt agentic AI quickly without guardrails. If you’re trialling AI that can take actions (send emails, change records, move files), treat it as a privileged user.

Why this matters to smaller businesses

  • Edge systems are a shortcut to everything: if an attacker gets into a network controller/management system, they may be able to pivot across sites, change routing, or disrupt connectivity.
  • Business impact is immediate: internet outage, site-to-site disruption, and knock-on issues with cloud apps, VoIP, card terminals, and remote working.
  • Public security headlines drive scams: attackers routinely exploit news cycles to make phishing feel credible (“this is related to the Exchange/Windows hack in the news”).
  • Agentic AI can magnify mistakes: a poorly configured tool can leak data or perform unsafe actions at speed if it has broad permissions.

Warning signs

  • Unexpected prompts to log in again to Microsoft 365, email, or VPN “due to security updates”.
  • Emails/calls claiming to be your IT provider, ISP, or network supplier requesting urgent access, MFA approval, or a remote support session.
  • Unplanned network changes: new admin accounts, configuration changes, sudden VPN/SD-WAN reconfigurations, or unusual reboots.
  • Connectivity oddities: multiple sites drop at once, VoIP degrades, card terminals fail, or cloud apps become intermittently unreachable.
  • AI pilots where the tool has write access to shared drives, mailboxes, CRM/finance systems, or HR folders without clear approval steps.

How attackers may exploit the situation

  • Targeting remote network management (directly or via an MSP) to gain admin-level control and persistence.
  • Follow-on disruption: once inside, attackers may disable security tools, create backdoor access, or prepare for ransomware by mapping your environment.
  • Phishing and fake help-desk campaigns referencing “Exchange/Windows emergency fixes” to trick staff into handing over credentials or approving MFA prompts.
  • Abusing trust in automation: if an agentic AI has broad permissions, an attacker (or a bad integration) can use it to exfiltrate files or send convincing internal emails.

What to do today

  • Confirm who manages your network edge (SD-WAN, firewall, VPN, routers) and how access is controlled (named accounts, MFA, logging).
  • Brief staff: no-one should install software, approve MFA prompts, or start a remote support session based on an email/call. Use a known phone number to verify.
  • Check admin access hygiene: remove shared admin logins; ensure MFA is enforced; review recent admin logins and configuration changes.
  • If trialling agentic AI, start with least privilege: read-only where possible; human approval for sending emails, changing records, or moving/deleting files.

Ask your IT provider

  • Do we run (or do you manage) any Cisco Catalyst SD-WAN Controller/Manager environments for us or within our wider group? If yes, what’s our exposure and what checks have you done for suspicious access?
  • How do you monitor and alert on changes to network edge configurations and creation of new admin accounts?
  • What is our process for verifying supplier “urgent update” requests (including you), and how do you prevent your support channels being spoofed?
  • If we use AI tools, can you help us define permission boundaries, audit logs, and an approval workflow for high-risk actions?

Patch watch - only one short paragraph, and only if relevant

Cisco Talos reports active exploitation of an authentication bypass affecting Cisco Catalyst SD-WAN Controller/Manager (CVE-2026-20182). If you (or your MSP) use these products, treat this as time-sensitive: confirm ownership, review access logs and admin accounts, and ensure updates/mitigations are being handled under change control with clear evidence.

One action today

Send a same-day instruction to staff: do not approve MFA prompts or start remote support sessions from unsolicited ‘urgent update’ emails/calls—verify via a known internal or supplier phone number.

Related Actions On Cyber resource

CTA: Run the Actions On Cyber ‘Payment & account change request verification’ mini-checklist (adapt it for IT support and ‘urgent security update’ requests).

Sources

This brief is for general awareness and does not replace advice from your IT provider, legal adviser, insurer or incident response specialist.