A recent global survey highlights a worrying disconnect between small and medium-sized businesses’ confidence in their cybersecurity readiness and the actual measures they have in place. The “State of IT Security for SMBs in 2025” report from Devolutions reveals that while 71% of SMBs express confidence in handling major cybersecurity incidents, only 22% report having an advanced cybersecurity posture, indicating a significant risk gap. The survey also identifies privileged access management as a critical vulnerability, with over half of the respondents still relying on manual methods to manage sensitive credentials. Additionally, although 71% of SMBs plan to increase their use of artificial intelligence tools for cybersecurity, only 25% are currently using them. Budgeting for cybersecurity is on the rise, with 63% of SMBs increasing their security budgets, yet nearly a third allocate less than 5% of their overall IT budgets to security.
They’re not alone. The Techaisle SMB and Midmarket Security Adoption Trends Report highlights a significant level of unpreparedness among small and medium-sized businesses, as well as midmarket firms, in the face of evolving cybersecurity threats. According to the report, 46% of small businesses lack a security protocol for incidents, and 51% have no formal risk frameworks. The report reveals that 68% of small businesses feel less prepared than their peers, while the financial losses due to security incidents average $1.6 million. Midmarket firms also face challenges, with 34% lacking a security protocol and experiencing higher incident rates at 57%. The research indicates a critical shift towards cyber resiliency, with 68% of small businesses and 89% of midmarket firms recognizing the importance of not only preventing attacks but also recovering quickly from incidents.
The market for cybersecurity solutions targeted at small and medium-sized businesses is projected to grow significantly, reaching an estimated value of 70 billion dollars by 2034, up from 25 billion dollars in 2024, per data from Exactitude Consultancy. This growth is driven by an increasing frequency of cyberattacks and rising regulatory pressures. Key trends include the adoption of cloud-based security solutions and the emergence of zero-trust architecture, which emphasizes continuous verification for accessing networks.
Why do we care?
We care because this data reveals a dangerous misalignment between perceived and actual cybersecurity readiness among SMBs—posing both a risk to the businesses themselves and an opportunity for IT service providers to step in with strategic, outcome-focused solutions.
There’s a widening credibility and capability gap in SMB cybersecurity—and that gap is where IT service providers must play. But this isn’t a tooling problem. It’s a strategic misalignment problem.
IT providers that lean into cybersecurity as a business enabler—focused on continuity, risk posture maturity, and operational recovery—will be the ones to gain trust and long-term contracts. The winners won’t just sell protection; they’ll sell resilience with accountability. Think less “deploy the tool” and more “prove the risk is managed.”
This is a trust moment, and providers who act like partners, not product pushers, will be the ones SMBs lean on when the inevitable breach comes.