A global survey of 2,210 small and medium-sized businesses finds cybersecurity ranked second only to revenue growth as a strategic priority, with six in ten firms planning to increase spending on it. Half of those same businesses experienced a security incident or data breach in the past 12 months. The IDC study, commissioned by Sage and published today, traces the disconnect to execution rather than intent.
The research identifies three persistent gaps across the SMB security landscape. First, priority does not translate into daily practice: only 13% of micro businesses and 21% of small businesses describe their approach as proactive, against 48% of medium-sized organisations. Smaller firms typically have the right tools installed — 79% use email security, 67% endpoint protection, 71% regular patching and backup — but only half conduct staff training and phishing simulations, and just 36% test incident response plans.
The second gap concerns third-party and SaaS exposure. As SaaS platforms have become central to SMB operations, monitoring has not kept pace: 43% of micro businesses do not conduct regular or continuous monitoring of their third-party vendors, a blind spot that grows as the average number of SaaS tools increases.
AI sits at the centre of the third gap. Eight in ten SMBs are either unprepared for or at an early stage of readiness for AI-related threats, and nearly a quarter have yet to implement dedicated protections for AI applications. The contrast by size is stark: 63% of medium-sized businesses see AI as a business opportunity, while only 9% of micro businesses agree.
Joel Stradling, Senior Research Director for European Security at IDC, said: "The research suggests many SMBs still believe they are not a prime target for cyberattacks, despite threats becoming more sophisticated and widespread. IDC recommends SMBs embed cybersecurity into AI initiatives from the outset and take an organisation-wide approach to cyber resilience. Businesses that close the gap between growth ambitions and security readiness will be best placed to build long-term digital trust with customers, partners and investors."
"The research suggests many SMBs still believe they are not a prime target for cyberattacks, despite threats becoming more sophisticated and widespread. IDC recommends SMBs embed cybersecurity into AI initiatives from the outset and take an organisation-wide approach to cyber resilience. Businesses that close the gap between growth ambitions and security readiness will be best placed to build long-term digital trust with customers, partners and investors."
Gustavo Zeidan, Chief Information Security Officer at Sage, said: "Many SMBs are excited about the potential of AI but want simple, practical ways to adopt it securely as threats become more sophisticated. Businesses should not have to choose between innovation and security."
"Many SMBs are excited about the potential of AI but want simple, practical ways to adopt it securely as threats become more sophisticated. Businesses should not have to choose between innovation and security."
One regional finding breaks from the global pattern. UK SMBs are moving faster than the global average on AI security preparedness, signalling a more deliberate approach rather than a reactive one. The study covers eight markets: Canada, France, Germany, Portugal, South Africa, Spain, the United Kingdom, and the United States.
