Despite increasing awareness and rising investment in cybersecurity, too few are making the leap from confidence to capability. In fact, 71% of SMBs say they feel confident in handling a major cybersecurity incident – yet only 22% report having an advanced cybersecurity posture, according to Devolutions’ newly released report, “The State of IT Security for SMBs in 2025.”
Based on input from 445 IT, security and executive professionals around the world, the report reveals that this gap between perception and reality is leaving many SMBs vulnerable – particularly in three key areas: Privileged Access Management (PAM), Artificial Intelligence (AI) adoption, and cybersecurity budgeting. Devolutions, a global leader in secure software solutions, conducted the study to help organizations better understand how they can bridge the divide between IT management and security – and where many are still falling short.
PAM: Still Manual, Still Risky
Despite its critical role in minimizing insider threats and credential abuse, 52% of SMBs still rely on manual tools – like spreadsheets or shared vaults – to manage privileged access. That number has grown since 2023.
“Manual access management isn’t just inefficient – it’s dangerous,” notes Maurice Côté, VP Product at Devolutions. “The human is often the weakest link – and spreadsheets don’t make us stronger. SMBs need lightweight, easy-to- deploy PAM tools designed for their reality.”
AI: Everyone’s Talking, Few Are Doing
From automated threat detection and anomaly spotting to predictive analysis and behavior-based access control, AI promises faster, smarter and more scalable defense. However, as the survey points out, promise and practice are two very different things. 71% of SMBs plan to increase their use of AI in cybersecurity, but only 25% are using it today – and 40% haven’t started at all. Concerns around cyberattacks on AI systems, data privacy, and skill gaps are slowing momentum.
“Artificial intelligence is a powerful advancement, but like fire, it must be handled with care,” said Martin Lemay, CISO at Devolutions. “It’s not without flaws, and its reliance on vast amounts of data makes strong governance and clear regulations essential to prevent misuse.”
Budgets Are Up – But Misaligned
While 63% of SMBs increased their cybersecurity spending, nearly a third still allocate less than 5% of their IT budget to security. Many organizations are spending more – but not necessarily spending smarter, and too many organizations still underfund their security efforts relative to their risk exposure.
“Budget increases are encouraging, but throwing more money at cybersecurity doesn’t work if it’s not aligned with real risks,” said Simon Chalifoux, CIO at Devolutions. “SMBs need to spend with intention – on tools, processes and training that match their environment.”
From Awareness to Execution
The big takeaway? SMBs know what’s at stake, but many still lack the tools, strategies and investment alignment to address threats effectively. Without modern PAM, practical AI integration, and smarter budgeting, real progress will remain out of reach.
“Cybersecurity isn’t a checklist – it’s a commitment,” said David Hervieux, CEO of Devolutions. “It’s not enough to feel secure; SMBs need to build the systems, habits and culture that make them secure. That means measuring their posture honestly – and investing like it truly matters. Because it does.”
