Portal
Forum
Devolutions Force
Hub Business
Hub Personal
Devolutions Send
Devolutions Academy
RDM
Workspace
Launcher
Welcome back to our deep dive into the Devolutions State of IT Security in SMBs in 2024-25 Survey.
In this series, we explore issues and gaps that are preventing some SMBs from establishing a strong, robust, and reliable cybersecurity posture.
In part one, we shared 10 reasons why using spreadsheets for PAM is a mistake, and how it puts SMBs at far greater risk than they realize.
In part two, we explained that while using a password manager with vaults is helpful for business continuity, it is not a cybersecurity solution.
Here in part three, we focus on another key finding from the survey: While 88% of SMBs use multi-factor authentication (MFA), 29% continue to struggle with weak and reused passwords.
Poor password hygiene: Bad for SMBs, good for hackers
Practices such as weak and reused passwords vastly increase the size of the threat surface, which makes a data breach more likely.
A separate survey by cybersecurity firm Extrahop found that 51% of cyberattacks stemmed from inadequate cyber hygiene.
Weak passwords can be easily cracked — in many cases within seconds. And while using the same password across multiple accounts may be convenient for users, it is also potentially disastrous. Once hackers get a hold of a password, they can use automated tools to carry out highly effective credential stuffing attacks.
While this problem is serious, the solution is clear: Establish strong password policies with a robust PAM solution.
How PAM helps
A PAM solution that includes a password manager as a core component can be configured to force users to create passwords that meet specific complexity requirements. This eliminates the practice and risk of weak passwords.
In addition, a PAM solution can also prevent users from choosing the same password for more than one account, or from using a previous password. This eliminates the practice and risk of reused passwords.
It is worth emphasizing that these major improvements in password hygiene and overall cybersecurity are not just at the policy level. They are at the enforcement level. IT pros do not have to waste time and get frustrated reminding some users over and over (…and over) to follow the rules. A robust PAM solution with a built-in password manager sets and establishes stronger standards. Users who attempt to circumvent these standards — intentionally, ignorantly, or accidentally — will be unable to.
From adoption to maturity
This insight from the survey also reveals something else worth exploring: technology adoption isn’t the same as security maturity.
Most SMBs are doing the right thing by adopting MFA, but many are clearly not going deep enough in terms of establishing and enforcing a strong cybersecurity posture, as evidenced by the fact that they are still struggling with basic issues like weak and reused passwords.
To bridge the gap from adoption to maturity and keep pace with today’s threats, SMBs need to go deeper than verifying user access through MFA, and discover what is actually happening across and within their accounts — especially those that provide privileged access to sensitive, valuable, and critical systems and data (a.k.a. “the keys to the kingdom”).
Again, this is where a PAM solution shines by greatly expanding control, visibility management, governance, and auditing.
We highlight these features and functions in the table below:
| What it is | What it does |
|---|---|
| Role-based access control (RBAC): | Ensures that users can only access what they need for their respective day-to-day roles. RBAC minimizes risks, reduces the size of the attack surface, and simplifies compliance. |
| Automatic password rotation | Automatically changes stored passwords for privileged accounts, which enhances security and reduces the risk of unauthorized access. Scripts can also be created to ensure that password rotations extend across all services, files, and databases — not just some of them. Passwords don't live only in Active Directory and Azure! |
| Scheduled password rotation | Sets password rotation schedules for specific days/times, or after a defined duration. |
| Just-in-time privilege elevation | Provides necessary privileges on check-out and revokes them on check-in. This is far more secure than maintaining standing account permissions. |
| User request management | Enables users to request elevated privileges, and give approvers (either specific individuals or groups) the power to modify or reject requests as they deem appropriate. |
| Session recording | Captures session activities as they happen, which supports multiple objectives related to security, compliance, training, information sharing, and recordkeeping. |
| Administrative reports and auditing | Stores all of the key details of an access request, including: who made the request, when the request was made, if the request was approved, who accepted/rejected the request, when that decision was made, and whether passwords were rotated and propagated. |
| Secure credential injection | Integrates PAM with a remote connection manager so that users can get streamlined access to remote accounts and machines, but without ever seeing passwords. |
Devolutions PAM: Built for SMBs
Devolutions PAM delivers all of the features and functions highlighted in the table above, along with an enterprise-grade password manager that eliminates the risk of weak and reused passwords. Everything is packaged in an all-in-one solution that is easy-to-use, scalable, flexible, and affordable — and supported by one of the most respected and reputable companies in the industry (see next section). Simply put, Devolutions PAM enables SMBs to bridge the gap from technology adoption to maturity.
Loved by users & recommended by experts
Devolutions was recently named a 2025 Champion in the PAM Emotional Footprint report by Info-Tech Research Group. The report quantifies user experience regarding overall product value and strength of the relationship. The result is a “Net Emotional Footprint” score that captures overall user feeling and sentiment. Devolutions achieved a perfect Net Emotional Footprint score of +100, and was one of only a few vendors to receive 100% positive feedback with zero negative sentiment.
Devolutions is also highly recommended by experts. Here is what Carlos Rivera, the Principal Advisory Director at Info-Tech Research Group, says about Devolutions PAM:
"Devolutions presents a compelling alternative within the PAM market. Their dedication to security, robust integrations, and user-centric approach offers a strong foundation for their growth potential. As the PAM landscape continues to evolve, Devolutions' commitment to innovation and customer focus positions them well to become a key player in securing privileged access for organizations of all sizes."
Learn more & next steps
To learn more and put an end to weak and reused passwords — while also greatly expanding access-related control, visibility, management, governance, and auditing — contact us today at sales@devolutions.net.
We also invite you to explore our all-new Starter Pack, which provides our workforce management solutions (and more) for up to five users.
Click here to learn more and begin a free trial.
Part 4 is on the way
In the final installment of this 4-part series, we will address another finding from the survey: many SMBs have not adopted PAM, or not fully adopted PAM, because they worry that it is too complex for them to implement.
We will explore why SMBs should reframe how they perceive PAM, and view implementation as a journey that can start small and scale up based on their needs — all without facing an overwhelming administrative burden, unexpected and excessive costs, or problems integrating with other tools in the environment. Stay tuned!
