Small and medium-sized businesses are placing cyber security higher on their strategic priorities as digital transformation accelerates across industries. However, many organizations still lack the operational readiness needed to manage emerging cyber threats effectively.
New global research commissioned by Sage and conducted by IDC surveyed more than 2,200 SMBs across North America, Europe, and South Africa.
The study found that cyber security and data protection now rank among the top priorities for SMBs over the next 12 months, second only to business growth initiatives.
At the same time, nearly six in ten businesses expect to increase cyber security spending. The findings highlight how AI adoption, SaaS dependency, and third-party risks are reshaping the modern threat landscape.
AI Adoption Is Increasing Security Pressure on SMBs
For many SMBs, AI tools are rapidly becoming part of everyday business operations. Companies are embedding AI into customer engagement, finance, HR, productivity systems, and operational workflows.
Despite rapid adoption, organizational readiness remains limited. According to the IDC research, more than 80% of SMBs are either unprepared or still in the early stages of readiness for AI-related cyber threats.
Nearly one-quarter of surveyed businesses have not yet implemented dedicated protections for AI applications. This leaves many organizations exposed as AI-powered threats continue evolving.
The readiness gap appears especially severe among micro and small businesses that often operate with limited cyber security staff, budgets, and internal expertise.
Security Investments Are Not Closing Operational Gaps
Many SMBs report deploying baseline protections such as endpoint security, email protection, patch management, and backup systems. However, operational security practices remain inconsistent.
Far fewer businesses conduct regular employee cyber security training, phishing simulations, or incident response testing. These areas often determine how effectively organizations respond during real-world attacks.
As cyberattacks become increasingly automated and AI-assisted, technical tools alone may not provide sufficient protection. Security culture and operational preparedness are becoming equally important.
The report also found that only a small percentage of micro and small businesses consider their security posture proactive. Many organizations continue to approach cyber security reactively rather than continuously managing risk.
Read : Loyal Hotel Guests May Be Your Biggest Security Threat
SaaS Expansion Creates New Cyber Security Blind Spots
The report identified third-party and SaaS-related risk as another major concern for SMBs. Businesses are adopting growing numbers of cloud applications and connected operational platforms.
Without dedicated cyber security teams, many smaller organizations struggle to consistently monitor vendors, software providers, and external services integrated into their systems.
A significant number of surveyed micro businesses admitted they do not conduct continuous monitoring of third-party providers. This creates what analysts describe as “visibility fragmentation.”
Experts warn that cyber resilience is no longer only an IT concern. Operational continuity, customer trust, compliance exposure, and long-term scalability increasingly depend on strong security foundations.
Gustavo Zeidan noted that many SMBs want practical and secure ways to adopt AI as threats become more sophisticated. Meanwhile, Joel Stradling said many businesses still underestimate how exposed they are becoming in the modern threat environment.
