Portal
Forum
Devolutions Force
Hub Business
Hub Personal
Devolutions Send
Devolutions Academy
RDM
Workspace
Launcher
The Devolutions State of IT Security in SMBs in 2024-25 Survey report is now available. While there is plenty to explore and unpack — everything from insider threats to AI — one of the biggest revelations is that 52% of SMBs have not yet adopted secure, effective, and automated privileged access management (PAM) solution. This is alarming considering that:
- 74% of data breaches start with privileged credential abuse
- 55% of organizations don’t know how many privileged accounts they have or where they are located
- Over 50% of privileged accounts never expire or get deprovisioned
We recently launched a 4-part series to better understand what is blocking some SMBs from adopting (or fully adopting) a PAM solution. In part 1, we took aim at a classic player on the workplace landscape — spreadsheets — and shared 10 reasons while they might be great for tasks like forecasting budgets, they are awful for PAM.
In case you missed it, check it out here.
Now, let us move forward with part 2 in the series. Here we shine the spotlight on a workplace tool that is creating a dangerously false sense of IT security in many SMBs: password managers.
Business continuity vs. security
According to the Devolutions State of IT Security in SMBs in 2024-25 Survey report, 30% of C-level executives in SMBs have not adopted a PAM solution, because they are using a password manager with vaults, and believe this is sufficient.
This view is understandable, because password managers are sometimes mentioned in articles, videos, and discussions about PAM. What’s more, some vendors who sell password managers tout their products as “PAM solutions” or “enabling PAM.” These claims are not just marketing hype. They are false advertising!
Here is the real story: Essentially, password managers are business continuity tools, and not security tools. They allow users to share vaults that contain different types of sensitive data such as account credentials, credit card numbers, remote connection information, and so on.
This functionality is convenient and efficient. Consider a scenario where a user who created and used multiple passwords leaves the organization. Without vaults, their former colleagues might have to hunt through spreadsheets and notepads to (hopefully) find those passwords. But with vaults, they just log in and get what they need.
Clearly, we can see the value of password managers when it comes to business continuity and administrative ease. However, these advantages have nothing to do with actual cybersecurity, because the surprising truth is that passwords managers are inherently insecure!
All that the departing user needs to do is copy and paste the passwords in another file. Yes, an organization could change all passwords each time someone leaves. But this is tedious and time consuming. And what about automatically resetting passwords after each use? This may work for internal accounts, but not for third-party apps or website passwords.
Password managers can increase awareness — but not security
To make things even more confusing, password managers typically offer features that relate to password security, such as:
- Checking against a list of known compromised passwords
- Strong password generator
- Enforcing minimal password requirements
- Logging
Features like these are useful. However, if we look at them closely, we realize that they do not actually make organizations more secure! At best, they help organizations become aware of potential problems and vulnerabilities. They are reactive in nature instead of proactive. They indicate where security in the organization should BEGIN; they do not establish where it should END.
This is especially the case for technical users such as SysAdmins and help desk staff. These professionals work in areas where security needs and risks are the highest. For them, using a password manager for PAM is not just wholly insufficient, but it is extremely precarious.
Don’t get rid of your password manager — just add PAM
We are not advising SMBs to get rid of their preferred and familiar password manager. As mentioned, password managers are practical and useful business continuity tools. They can also help increase awareness of vulnerabilities. And tools like strong password generators can promote good password hygiene and habits across end users (who, alas, will always be the weakest link in the IT security chain). All of these are positive.
However, what we are urging SMBs to do is augment their password manager with a genuine PAM product. This is a solution that offers built-in functions and features such as:
- Privileged account discovery
- Role-based access control (RBAC)
- Secure credential injection
- Check-out request approval
- Automatic and scheduled password rotation
- Just-in-time privilege elevation
- Password change propagation
- Session recording
- Administrative reports and auditing
- Built-in approval policies
With a true PAM solution — and not just a business continuity tool labeled as a password manager — SMBs get total control and visibility of their most important and sensitive accounts (a.k.a. “the keys to the kingdom”).
Given the surging risks and potentially catastrophic costs of a data breach – currently priced at an average of $4.88 million USD per incident — PAM must not be viewed by SMB executives as unnecessary because they have a password manager in place. Instead, PAM should be viewed as a fundamental requirement, and a critical investment in their organization’s current and future success.
“PAM for the rest of us!”
Executives who now realize that they don’t actually have PAM in their SMB (despite what they might have been promised by password manager vendors!) should not worry. The way forward is clear: check out Devolutions PAM.
Devolutions PAM is an essential security platform designed to control, monitor, and secure elevated access for users, accounts, processes, and systems across the organization. It seamlessly integrates with enterprise systems, supports a broad range of security protocols, and adheres to governance standards. And just as importantly, Devolutions PAM is easily affordable and designed specifically for SMBs. There is no expensive overhead, and our experts are ready to help (at no additional cost) to ensure rapid, trouble-free implementation.
At Devolutions, we believe that when it comes to privileged access, SMBs need the same robust security and total visibility that large enterprises do — but without getting bogged down by excessive complexity, facing steep learning curves, or breaking their limited IT security budgets. We call it “PAM for the rest of us!”
PAM Champion
We are also delighted to note that Devolutions was recently named a 2025 Champion in the PAM Emotional Footprint report by Info-Tech Research Group. The report quantifies user experience about product value and strength of the user-vendor relationship. Devolutions achieved a perfect Net Emotional Footprint score of +100. We were also one of a handful of vendors to receive 100% positive feedback with zero negative sentiment.
Learn more & next steps
To learn more contact us today at sales@devolutions.net. We also invite you to explore our all-new Starter Pack, which delivers Devolutions PAM (and more) for up to five users. Click here to learn more and begin a free trial.
Part 3 is on the way
In the next installment of this series, we will focus on another obstacle that according to the survey report is preventing some SMBs from adopting a comprehensive PAM solution: the view that multifactor authentication (MFA) is driving robust security across the organization, and serving as a “safety net” for poor password practices.
We will explore why this view is mistaken, and share what SMBs can do to improve password hygiene, strengthen policy enforcement, and significantly lower their IT security risk.
