State of IT security in SMBs in 2024–2025
What 445 SMB IT pros told us about cybersecurity in 2024–2025
Survey report: what’s working — and what’s missing in SMB cybersecurity
This report distills insights from 445 SMB IT and security professionals into a clear picture of cybersecurity in 2024–2025.
Based on our latest survey, it highlights where SMBs are making progress — and where gaps remain — across PAM, AI, insider threats, training, and budgets.
Dive into the key findings to see how your organization compares — and where to focus next.
Read the report
Feeling secure Isn’t the same as being secure
This year’s survey reveals a defining issue for SMBs in 2024–2025: the gap between cybersecurity confidence and actual readiness.
While 71% of respondents say they feel confident handling a major incident, only 22% report having an advanced security posture. This disconnect — the widest we've seen to date — signals a dangerous overestimation of preparedness and highlights the need for deeper, more aligned action across roles and sectors.
Most SMBs haven’t automated privileged access
52% of SMBs still manage privileged access manually — with spreadsheets, shared vaults, or no formal system at all. Despite rising risks and the critical role of PAM in preventing breaches, most SMBs haven’t adopted automated solutions. Only 32% report using a dedicated PAM tool, pointing to cost, complexity, and lack of awareness as key blockers. The result? Sensitive access remains exposed — and harder to control.
Progress is real — but exposure remains high

0
Faced at least one cyberattack in the past year.
Cyberattacks are no longer rare for SMBs — nearly half were hit, highlighting the urgent need for stronger defense strategies.
0
Detected their most recent incident within minutes
Speed matters in cyber response, yet less than a third of SMBs could identify an attack quickly enough to limit damage.
0
Have full cyber insurance coverage
Most SMBs are underinsured, leaving them financially exposed in the event of a breach or ransomware attack.
0
Of SMBs have adopted an automated PAM solution.
While awareness is growing, adoption remains limited — with cost, complexity, and lack of internal expertise cited as key blockers.
The key to an effortless and effective onboarding process
63% of SMBs increased cybersecurity budgets in the past year — but 29% still allocate less than 5% of their IT spend to security.
Investment is trending up, but many SMBs remain critically underfunded relative to their risk exposure. Budget growth alone isn’t enough — it must align with the scale and complexity of modern threats.
Artificial intelligence : more talk than action

0
plan to increase AI use in cybersecurity

0
aren’t using AI at all today

0
adoption shows SMBs are just beginning with AI in cybersecurity.

Recommendations: what SMBs should do next
Cybersecurity doesn’t need to be perfect — it needs to be practical, consistent, and aligned with your actual risks. Based on this year’s data, here are five priorities every SMB should consider moving forward:
- Move away from manual PAM
- Make training continuous, not occasional
- Bridge the confidence–posture gap
- Get proactive about insider threats
- Match budget to exposure — not history
How Devolutions can help
At Devolutions, we believe SMBs shouldn’t have to choose between simplicity and security. That’s why we’ve developed a suite of privileged access management, password management, and remote access tools — built specifically for small IT teams.
Whether you're just starting with PAM or looking to formalize remote access, Devolutions gives you the tools to move forward — with confidence and control.