Steven Lafortune
We are delighted to announce that the Devolutions’ State of IT Security in SMBs in 2025-2026 Survey report is now available.
This was our largest-ever global cybersecurity survey, polling hundreds of professionals across IT, security, and executive leadership roles.
Click here to get the report right now and dive into the data. Otherwise, keep reading to learn more about the survey and get a summary of key findings.
About the survey
In today’s threat landscape, small and medium-sized businesses (SMBs) are no longer off the radar. Instead, they are on the front lines. To better understand how SMBs are responding — or failing to respond — to this new normal, our comprehensive survey explored:
The confidence that SMBs have in their cybersecurity readiness
How SMBs are using PAM to manage their most sensitive assets
Whether SMBs are adopting AI to strengthen their cybersecurity profile
The amount that SMBs are investing in cybersecurity — and if this allocation matches reality
How SMBs are spotting and preventing insider threats
How SMBs are training their workforce to detect threats and stop breaches before they happen
Key findings
The report is loaded with interesting, insightful, and in many cases unexpected revelations. Here are some — but certainly not all — key findings:
While 71% of SMBs feel confident in handling a major cybersecurity incident, just 22% say that they have an advanced cybersecurity posture. The good news is that the awareness of risk is growing. The bad news is that this is not yet translating into a leap in readiness.
52% of SMBs still manage privileged access using manual processes like spreadsheets, vaults, or no formal system at all. Unfortunately, manual processes introduce human error, obscure visibility, and delay revocation when people change roles or leave the company. Clearly, the move to modern PAM isn’t happening fast enough.
40% of SMBs aren’t using AI at all to strengthen their cybersecurity profile. This is worrisome; especially since cyber criminals are using AI to accelerate attacks and evolve threats. SMBs that treat AI as a partner — and not a plugin — will be the ones who thrive.
29% of SMBs allocate less than 5% of their IT budget to cybersecurity. The paradigm needs to change — and the sooner, the better. Cybersecurity is no longer a technical cost, but rather a business risk. SMBs that treat it as an IT line item will find themselves unprepared for the demands ahead.
Just 20% of SMBs have a comprehensive plan for mitigating and managing insider threats. Many SMBs are adopting PAM, MFA, or training programs — all of which are essential. But without tying them into a broader insider strategy, they’re missing the point and increasing their risk.
Only 39% of SMBs offer continuous cybersecurity training, and 17% offer none at all. This is more than disconcerting — it’s alarming. SMBs need to embrace the truth that cybersecurity training isn’t optional. It’s the frontline. And if it’s not continuous, then it’s not effective.
Recommendations
The report also provides targeted recommendations to help SMBs benchmark their progress, spot their blind spots, and build a smarter, more secure future.
Importantly, the recommendations featured in the report are practical and do not add complexities that SMBs cannot manage, or suggest costs they cannot afford. You’ll find everything in the report!
Insights from our CEO
We asked our CEO, David, to provide some insights on the report, and discuss what it means for SMBs that need to stay safe and strong on an increasingly dangerous threat landscape. Here is what he shared:
“The report confirms what we’ve been hearing for years: it’s not about awareness anymore. It’s about initiative. SMBs cannot continue feeling that they are secure because they have been reading about cybersecurity for years. Yes, knowledge is power. But action is empowering. SMBs need to go from passenger to pilot by building systems, habits, and cultures that justify the confidence they have — or soon want to have — in their cybersecurity profile.
However, this does not mean that SMBs have to do everything all at once. Rather, it means that they need to do the right things, at the right time, and in the right order. The future isn’t about outrunning every threat — it’s about building the reflexes to respond with clarity, confidence, and control.
At Devolutions, we believe that SMBs deserve solutions designed for their scale, their speed, and their reality. If our survey report helps SMBs take at least one meaningful step forward — such as reviewing their training, formalizing their access policy, or just have a better conversation with their team — then it has done its job. Because in cybersecurity, doing nothing is the biggest risk of all.”
Get the report
Click the banner below to download the report. There is no cost or sign-up required. Your download [PDF] is immediate.
We also invite you to share your feedback by commenting below, or across our social media channels.
