Portal
Forum
Devolutions Force
Devolutions Hub Business
Devolutions Hub Personal
Devolutions Send
Devolutions Academy
RDM
Workspace
Launcher
State of IT security in SMBs in 2024–2025
What 445 SMB IT pros told us about cybersecurity in 2024–2025
Survey report: what’s working — and what’s missing in SMB cybersecurity
This report distills insights from 445 SMB IT and security professionals into a clear picture of cybersecurity in 2024–2025.
Based on our latest survey, it highlights where SMBs are making progress — and where gaps remain — across PAM, AI, insider threats, training, and budgets.
Dive into the key findings to see how your organization compares — and where to focus next.
Read the report
Feeling secure Isn’t the same as being secure
This year’s survey reveals a defining issue for SMBs in 2024–2025: the gap between cybersecurity confidence and actual readiness.
While 71% of respondents say they feel confident handling a major incident, only 22% report having an advanced security posture. This disconnect — the widest we've seen to date — signals a dangerous overestimation of preparedness and highlights the need for deeper, more aligned action across roles and sectors.
Most SMBs haven’t automated privileged access
52% of SMBs still manage privileged access manually — with spreadsheets, shared vaults, or no formal system at all. Despite rising risks and the critical role of PAM in preventing breaches, most SMBs haven’t adopted automated solutions. Only 32% report using a dedicated PAM tool, pointing to cost, complexity, and lack of awareness as key blockers. The result? Sensitive access remains exposed — and harder to control.
Progress is real — but exposure remains high
0
Faced at least one cyberattack in the past year.
Cyberattacks are no longer rare for SMBs — nearly half were hit, highlighting the urgent need for stronger defense strategies.
0
Detected their most recent incident within minutes
Speed matters in cyber response, yet less than a third of SMBs could identify an attack quickly enough to limit damage.
0
Have full cyber insurance coverage
Most SMBs are underinsured, leaving them financially exposed in the event of a breach or ransomware attack.
0
Of SMBs have adopted an automated PAM solution.
While awareness is growing, adoption remains limited — with cost, complexity, and lack of internal expertise cited as key blockers.
The key to an effortless and effective onboarding process
63% of SMBs increased cybersecurity budgets in the past year — but 29% still allocate less than 5% of their IT spend to security.
Investment is trending up, but many SMBs remain critically underfunded relative to their risk exposure. Budget growth alone isn’t enough — it must align with the scale and complexity of modern threats.
Artificial intelligence : more talk than action
0
plan to increase AI use in cybersecurity
0
aren’t using AI at all today
0
adoption shows SMBs are just beginning with AI in cybersecurity.
Recommendations: what SMBs should do next
Cybersecurity doesn’t need to be perfect — it needs to be practical, consistent, and aligned with your actual risks. Based on this year’s data, here are five priorities every SMB should consider moving forward:
- Move away from manual PAM
- Make training continuous, not occasional
- Bridge the confidence–posture gap
- Get proactive about insider threats
- Match budget to exposure — not history
How Devolutions can help
At Devolutions, we believe SMBs shouldn’t have to choose between simplicity and security. That’s why we’ve developed a suite of privileged access management, password management, and remote access tools — built specifically for small IT teams.
Whether you're just starting with PAM or looking to formalize remote access, Devolutions gives you the tools to move forward — with confidence and control.
Join our newsletter
Stay up to date on everything Devolutions, from security news to upcoming events, product updates, tips and tricks, and more!