A global study on Information Technology security among small and medium-sized businesses, entitled The State of IT security in SMBs in 2025, aimed to identify the progress that SMBs have made over the past year in terms of their security posture, while taking into account the risks and persistent gaps that continue to threaten their data and activities. The objective of the study is to enable SMBs to better understand their position and thus adopt concrete measures to strengthen their security posture.
Six key highlights
The survey, which included answer choices and open-ended questions with 445 professionals and executives holding IT, security and management roles, was conducted from February 12 to April 1, 2025 among small and medium-sized businesses located in Canada, the United States, Europe and elsewhere. The Devolutions study highlights six key points concerning the development and effectiveness of the cybersecurity postures of SMBs across the globe, active within many sectors: finance, transportation, healthcare, education, commercial, manufacturing and more.
“I often say that the perception of security and the true level of security may sometimes be very different”, said David Hervieux, President and Founder of Devolutions. “This study highlights the gaps that can exist between the impression of having a strong posture and the reality of the situation, knowing that the fight against cyber threats is constantly evolving. The aim here is not to create apprehension, but to raise awareness and encourage organizations to be as resistant and resilient as possible. This is part of our mission.”
A concerning gap between confidence and capacity
The results of Devolutions’ study show that 71% of SMBs are confident of being able to handle a major cybersecurity incident, but only 22% truly have a posture that is sufficiently advanced to withstand attacks. Interestingly, this sense of confidence increases as the role played within the company moves away from IT specialization and more toward a management role.
Concurrently, when compared to the 2024 study, the overall level of confidence has fallen by 9% in 2025, while the number of SMBs stating that they are well prepared has dropped by 8%. This suggests that respondents are now even more aware of the risks, but less certain of being able to sufficiently react in the event of an incident.
The manual management of privileged access is still all too common
Although protecting the privileged access to systems, data and applications is an essential pillar of any cybersecurity plan, a slim majority of companies rely on outdated methods to manage this access. 52% of SMBs still use manual tools, including documents or spreadsheets, despite the fact that such sources are precisely what ransomware and intrusion programs target. This situation increases the risk of major, avoidable incidents.
Surprisingly, these manual management practices increased by 7% between 2024 and 2025. Indeed, the integration of automated systems raises fears among companies and makes them hesitate, to the detriment of their security posture. Companies must be encouraged to accelerate the deployment of automated, secure, and reinforced privileged access management systems by demonstrating to decision-makers just how vulnerable their businesses are due to old-fashioned manual management practices.
There is great interest in the use of AI, despite the obstacles
When artificial intelligence is applied to cybersecurity, companies can arm themselves with the automated detection of threats and unusual behaviour, among other protective measures. Organizations are enthusiastic about this, with 71% intending to use AI for this purpose and 62% believing that AI will play a critical role within five years. However, today, 40% of respondents use no AI at all within their cybersecurity measures.
Interest in AI as a means of strengthening the security posture is clearly present, but barriers stand in the way: costs, lack of expertise, concerns regarding confidentiality, even the fear of relying too heavily on AI. What is important is that the use of AI in cybersecurity seems inevitable for the majority.
Budgets on the rise, but inefficiently distributed
Cybersecurity budgets are rising, with 63% of small and medium-sized businesses allocating more funds to it in 2025, but these resources still fall short of what is needed to counter growing risks and threats. While 5% of respondents have launched ambitious programs representing more than 20% of their overall budget, 29% spend less than 5%. 25% do not know the percentage.
IT and security teams report delays and gaps in implementing new cybersecurity stages. 55% report budget allocations that are poorly balanced between different needs, thus leading to a paradox between budget increases and a slowdown in overall cybersecurity progression.
A risk not often addressed: threats from within
Devolutions’ 2025 study shows that 78% of SMBs are concerned about threats that may come from within, but only 20% have a plan to counter such risks. Despite the worldwide increase in internal data theft and sabotage within all sectors, 28% of the companies surveyed either have no plan in place or do not consider this a priority threat.
Remarkably, concern over internal threats soared between 2024 and 2025, climbing by 45%. Yet the number of organizations having a response plan only increased by 5%, even if internal wrongdoers can more easily bypass the usual security defenses.
Training improves cybersecurity
Cybersecurity goes beyond sophisticated tools, as it also requires that company specialists be trained in order to exploit these tools effectively, and staff must know how to avoid the most common traps. The relevance of training courses is clear: most security breaches are the result of human error, ranging from a successful phishing attempt to the misconfiguration of a system.
While 39% of responding organizations offer ongoing training and 32% require awareness training, 17% have no programs to ensure best practices and the development of a cybersecurity culture among their talent. Between 2024 and 2025, the number of small and medium-sized businesses which offer such training even decreased by 2%.
The common theme across the SMB cybersecurity survey
Beyond the six key highlights stemming from Devolutions’ 2025 study, a common theme emerges: small and medium-sized businesses take cybersecurity seriously, but struggle to put all the elements in place to strengthen their security posture. The majority want to achieve this goal, but deployment and implementation remain challenges.
According to the survey, 43% of SMBs experienced at least one cyber attack over the past year. Only 31% were able to detect the incident within the first few minutes. Enhanced cybersecurity is making progress, but not quickly enough. However, knowing that the greatest risk of all is not reacting, most of the organizations surveyed by Devolutions are on the right track.
The full State of IT security in SMBs in 2025 report is available here
