White papers

For attackers, privileged access is the prize: get administrator rights (or a path to them) and everything downstream becomes faster and cheaper to compromise. Recent breach data confirms that:

• Credential abuse remains the most common initial access vector;
• Exploitation of vulnerabilities has surged;
• Ransomware is present in a large share of breaches and disproportionately affects SMBs (Verizon 2025, 6)

These dynamics make privileged access management (PAM) the shortest path to meaningful risk reduction — and a prerequisite for insurability and audit readiness.

However, industry research also shows confusion between PAM and adjacent practices: for example, some teams adopt a password manager as a substitute for a PAM vault, or divert budgets to full‑stack identity and access management (IAM) that doesn’t address immediate, small-business needs (Mulholland 2019). That confusion delays outcomes that auditors and insurers increasingly expect.

SMBs don’t need “full‑stack“ PAM to materially lower risk, satisfy auditors/insurers, and improve operational discipline. They need IT‑led PAM, a right‑sized foundation they can deploy quickly and affordably, operate day‑to‑day, and scale over time.

THE SMB THREAT LANDSCAPE

• Credential‑centric threats: Research shows credential abuse as the leading initial access vector: infostealer logs contained corporate credentials from unmanaged or BYOD systems in 46% of sampled cases — evidence that basic hygiene (vaulting, rotation, device policy) matters (Verizon 2025, 8).
• Stolen credential supply: Credential dumps ballooned to 16 billion compromised records — fuel for password‑reuse attacks (Lapienytė 2025).
• Ransomware prevalence: Present in 44% of breaches overall, ransomware hits SMBs disproportionately, affecting them more than twice as much as larger organizations (Verizon 2025, 6).
• Third‑party blast radius: Third‑party involvement in breaches doubled to 30%, raising the bar on contractor, vendor, and MSP access controls (Verizon 2025, 7).
• Data breach costliness: The 2024 global average reached $4.88M USD; while SMB totals are lower, the proportional impact can be existential (IBM 2024, 6).

WHAT’S DRIVING SMBS TO PAM

Besides the looming shadow of cyber threats, there are some common triggers prompting SMBs to seek PAM: notably, these triggers relate to compliance and cyber insurance requirements.

• NIS2 (EU): Official technical guidance raises expectations on access governance, naming privileged account management as a control policy (ENISA 2025, 135–136).
• ISO/IEC 27001:2022 Annex A 8.2: This global standard explicitly calls for managing privileged access rights (Dange 2024)
• Insurer minimums: Underwriters increasingly expect hardened access controls — often itemized on questionnaires, materially affecting insurability and premiums (Marsh & McLennan Companies, Inc. 2022, 3).
• U.S. standards: Government bodies such as CISA and the National Security Agency (NSA) point to least privilege, strong MFA, and privileged account controls as methods to mitigate identity and access threats (NSA and CISA 2023, 6). The executive order memorandum M-22-09 also notes the necessity of PAM for “improving the security of high privilege systems that are difficult or infeasible to modernize in the near term,” as part of the nation’s ambitious zero trust architecture (ZTA) cybersecurity strategy (Office of Management and Budget 2022, 8). Although this latter strategy concerns government offices, the standard nonetheless sets an example to follow for the commercial sector (ergo SMBs).

Across frameworks and regulators, teams are typically asked to “show the evidence” that privileged access is tightly governed. That tends to boil down to artifacts that prove:

• Who had access (authorizations, approvals, justifications, and time‑bound access windows).
• Which secrets are protected (passwords vaulted; credentials injected so users never see/reuse them).
• What occurred (session recording and logs with appropriate retention).

A compact, IT‑led PAM foundation addresses exactly these artifacts

WHY FULL-STACK PAM ISN’T RIGHT FOR SMBS

Full‑stack PAM is commonly defined as an end‑to‑end strategy that spans credential/secrets management, session management/recording, endpoint privilege management (EPM/PEDM), cloud entitlement management, and automation/ machine‑identity use cases, ideally unified on a single platform (Haber 2025).

While that breadth is attractive for large enterprises, it typically implies multi‑module rollouts, broader integrations, and longer implementation windows — factors that can be disproportionate for small IT teams that need value fast (Haber 2025).

Independent industry commentary aligns with this reality: cost and complexity frequently hinder SMB security adoption, even when risk awareness is high (Germain 2025). Devolutions’ 2024–2025 SMB survey found that many small businesses still rely on manual methods (spreadsheets, shared vaults) to manage privileged credentials, and that use of these methods increased: participants cited cost, lack of awareness, and low perceived need as top blockers to adopting formal PAM (2025, 11).

The pattern is clear: heavyweight deployments often miss the time‑to‑value window for smaller teams.

The result: full‑stack PAM may promise broad coverage, but often fails on time‑to‑value and operational fit for SMBs. Conversely, no PAM (or “just a password manager”) fails audits and leaves standing privileges exploitable.

The right answer for small teams is a focused control set of PAM fundamentals aligned to auditor expectations backed by modern guidance (NIS2, ISO 27001 A.8.2, NSA/CISA standards) and insurer checklists.

Why password managers aren’t enough

Password managers secure and share secrets, but they don’t govern privileged access the way auditors and insurers expect. Because they’re designed to be collaborative and keep shared passwords circulating and accessible, most password managers do not:

• Automatically rotate passwords after use;
• Include approval workflows with justifications and time-boxed checkout;
• Integrate with remote connection management platforms (so remote access often devolves into copy-pasting or memorizing passwords instead of injecting credentials);
• Perform privileged account discovery or enforce least-privilege patterns across admins, vendors, and service accounts.

In audits, these gaps surface as failures to prove authorization, oversight, and postuse hygiene, precisely the evidence a formal PAM platform is designed to produce.

THE IT-LED PAM MODEL

An IT‑led program is owned by IT administrators, deploys in hours or days (instead of weeks, months — or even years), and focuses on a small set of controls that stop real attacks and answer auditors from day one.

A practical SMB‑grade baseline typically includes:

• Privileged account discovery
• Credential vaulting
• Approval workflows and privileged account checkout
• Automated password rotation and propagation

As maturity grows, teams can add session brokering and recording; monitoring and reporting; just‑in‑time (JIT) elevation; and zero standing privilege (ZSP) to shrink the “always‑on admin” attack surface.

IT-LED BEST PRACTICES (SMBS)

Fundamental

Prioritize discovery and rotation for admin accounts. Catalog accounts and implement password rotation to stop silent “evergreen“ admins that insurers flag (Devolutions n.d., “Account discovery”; “PAM password rotation policies”; “Propagation scripts”).

Standardize admin access through approved workflows. Require justification and time‑bound approvals for any privileged action; auto‑rotate on check‑in (Devolutions n.d., “Check-out approvals”).

Inject (broker) credentials. Launch sessions (RDP, SSH, VNC, SFTP, Telnet, etc.) via the PAM tool with credential injection so users can’t see or reuse secrets (Devolutions n.d., “Session management”).

Advanced, but accessible

Record high‑risk sessions. Enable session recording with pause/terminate controls and retention aligned to policy; this creates decisive evidence for investigations and auditors. (Devolutions n.d., “Session recording”).

Develop an external/third‑party access strategy. Use vendor‑specific roles, approvals, temporary access, and session monitoring; the 2025 DBIR shows third‑party involvement in breaches doubling to 30% — hence the necessity to prove external access control (Verizon 2025, 7; Devolutions n.d.).

Adopt JIT elevation and ZSP. Grant admin only for the task duration; remove group membership on check‑in to reduce your «always‑on» attack surface (Tenable 2023; Devolutions n.d., “Zero standing privilege”)

IT-LED BEST PRACTICES (MSPS)

Partition customers. Maintain separate vaults per client to ensure data segregation and contract‑level access policies.

Enforce least privilege for technicians. Grant only the minimum rights needed per client and prioritize management of the top “tier‑0” privileged accounts.

Always inject (broker) credentials. Ensure technicians connect without ever viewing secrets; integrate brokering with your remote connection workflows.

Use approval workflows for privileged use. Require justification and timeboxed approvals for privileged actions and maintain auditable records.

Integrate your remote connection tool with your PAM platform. Configure it to consume privileged credentials from the vault for consistent policy enforcement and logging.

CONCLUSION

What the research says

• Credential abuse and vulnerability exploitation dominate initial access, ransomware is present in nearly half of breaches, and third‑party exposure is surging (Verizon 2025, 6–7).
• Auditors and insurers increasingly expect MFA and PAM controls, while cybersecurity standards across the globe require demonstrable restriction and management of privileged rights (ENISA 2025; Dange 2024).
• SMBs recognize the problem but stall on adoption due to cost, complexity, and confusion over what PAM actually entails (Devolutions 2025; Mulholland 2019).

The IT‑led solution

Start with PAM essentials that small teams can deploy and run: discovery, credential vaulting, credential injection (brokering), and approvals. Once these fundamentals are in place, SMBs can bolster their strategy with session recording, rotation and propagation, and JIT/ZSP.

This foundation drastically reduces the credential and standing‑privilege attack surface today, generates the evidence audits require, and builds a scalable on‑ramp to broader privilege and secrets governance as maturity grows.

Devolutions’ IT-led PAM solution package bundles the essential security foundation SMBs need at a fraction of full‑stack cost:

• Essentials‑focused: Privileged account discovery, vaulting with brokered access, password rotation/propagation, approval workflows, and built‑in MFA.
• Affordable: Transparent prices that fit SMB budgets.
• Lightweight: Rapid deployment and simple adoption — deploys in hours or days instead of weeks or months (or even years).
• Flexible data storage options: Both cloud‑hosted (Devolutions Hub Business) and self‑hosted (Devolutions Server) data residency options are offered.
• Path to maturity: Native JIT elevation and ZSP help teams progress from PAM fundamentals to stronger least‑privilege controls without having to change platforms. The PAM solution package also covers remote connection management (e.g., session monitoring/recording) by including the industry‑leading, IT‑favorite: Remote Desktop Manager.

The bottom line

If you’re an SMB, mid‑market IT team, or an MSP juggling many small businesses, IT‑led PAM gives you the right controls, right away, to reduce breach risk, pass audits, and satisfy insurers without the complexity and cost of full‑stack enterprise deployments.