State of IT security in SMBs in 2024–2025

What 445 SMB IT pros told us about cybersecurity in 2024–2025

Survey report: what’s working — and what’s missing in SMB cybersecurity

This report distills insights from 445 SMB IT and security professionals into a clear picture of cybersecurity in 2024–2025.

Based on our latest survey, it highlights where SMBs are making progress — and where gaps remain — across PAM, AI, insider threats, training, and budgets.

Dive into the key findings to see how your organization compares — and where to focus next.

Read the report
security large color logo

Feeling secure Isn’t the same as being secure

This year’s survey reveals a defining issue for SMBs in 2024–2025: the gap between cybersecurity confidence and actual readiness.

While 71% of respondents say they feel confident handling a major incident, only 22% report having an advanced security posture. This disconnect — the widest we've seen to date — signals a dangerous overestimation of preparedness and highlights the need for deeper, more aligned action across roles and sectors.

Most SMBs haven’t automated privileged access

52% of SMBs still manage privileged access manually — with spreadsheets, shared vaults, or no formal system at all. Despite rising risks and the critical role of PAM in preventing breaches, most SMBs haven’t adopted automated solutions. Only 32% report using a dedicated PAM tool, pointing to cost, complexity, and lack of awareness as key blockers. The result? Sensitive access remains exposed — and harder to control.

Progress is real — but exposure remains high

Sysadmin Bob

0

Faced at least one cyberattack in the past year.

Cyberattacks are no longer rare for SMBs — nearly half were hit, highlighting the urgent need for stronger defense strategies.

0

Detected their most recent incident within minutes

Speed matters in cyber response, yet less than a third of SMBs could identify an attack quickly enough to limit damage.

0

Have full cyber insurance coverage

Most SMBs are underinsured, leaving them financially exposed in the event of a breach or ransomware attack.

0

Of SMBs have adopted an automated PAM solution.

While awareness is growing, adoption remains limited — with cost, complexity, and lack of internal expertise cited as key blockers.

The key to an effortless and effective onboarding process

63% of SMBs increased cybersecurity budgets in the past year — but 29% still allocate less than 5% of their IT spend to security.
Investment is trending up, but many SMBs remain critically underfunded relative to their risk exposure. Budget growth alone isn’t enough — it must align with the scale and complexity of modern threats.

Artificial intelligence : more talk than action

sys-security

0

plan to increase AI use in cybersecurity

Sys-automation

0

aren’t using AI at all today

sys-elevate-priviledge

0

adoption shows SMBs are just beginning with AI in cybersecurity.

Recommendations: what SMBs should do next

Cybersecurity doesn’t need to be perfect — it needs to be practical, consistent, and aligned with your actual risks. Based on this year’s data, here are five priorities every SMB should consider moving forward:

  • Move away from manual PAM
  • Make training continuous, not occasional
  • Bridge the confidence–posture gap
  • Get proactive about insider threats
  • Match budget to exposure — not history

How Devolutions can help

At Devolutions, we believe SMBs shouldn’t have to choose between simplicity and security. That’s why we’ve developed a suite of privileged access management, password management, and remote access tools — built specifically for small IT teams.

Whether you're just starting with PAM or looking to formalize remote access, Devolutions gives you the tools to move forward — with confidence and control.

Learn more

Security isn't a project, it's a posture

The good news? SMBs have never had more access to affordable tools, smarter training, and partner support than they do today. But to truly close the gap, it’s not enough to deploy new tools — security must be embedded into every layer of your organization.

“Cybersecurity isn’t about fear — it’s about readiness. And readiness means more than tools. It means awareness, alignment, and action. At Devolutions, we believe that SMBs deserve solutions designed for their scale, their speed, and their reality. You don’t have to do everything — but you have to start. Because in cybersecurity, doing nothing is the biggest risk of all.”
David Hervieux, CEO, Devolutions