Cybersecurity is considered one of the top strategic priorities for small and medium sized businesses (SMBs) worldwide, but many organizations remain exposed to attacks despite rising investment, according to new research commissioned by Sage, the leader in accounting, financial, HR and payroll technology for SMBs.
The study, conducted by IDC and titled SMBs in the Age of AI: Navigating cyber complexity and building resilience, based on a global survey of 2,210 SMBs, found that over half (52%) rank cybersecurity and data protection among their top business priorities for the next 12 months, second only to growth (59%) and well ahead of scaling AI adoption (33%). Six in ten SMBs (60%) also expect to increase cybersecurity spending over the same period.
Despite this momentum, many SMBs remain vulnerable to cyber-attacks, with one in two experiencing an incident or data breach in the last year. This highlights a resilience gap between SMBs prioritizing cybersecurity and the realities of how effectively it is embedded in day-to-day operations.
The findings point to three gaps holding SMBs back:
- Security is prioritized but not embedded day-to-day: Only 13% of micro businesses and 21% of small businesses describe their cybersecurity approach as proactive, compared with 48% of medium sized organizations, leaving smaller firms more vulnerable to disruption.
- Tools are in place but not consistently applied: Most SMBs report using baseline protections such as email security (79%), endpoint protection (67%) and regular patching and data backup (71%). Yet far fewer carry out staff training and phishing simulations (50%), train employees consistently or test incident response plans (36%), limiting the real world effectiveness of these investments when incidents occur.
- Third party and SaaS risk is expanding faster than oversight: As SaaS platforms become central to operations, security monitoring often remains infrequent. Among micro businesses, 43% do not conduct regular or continuous monitoring of third-party vendors, creating blind spots across increasingly complex digital ecosystems.
AI accelerates pressure on already stretched security
AI adoption is intensifying cybersecurity pressure for SMBs, with readiness lagging behind risk. Eight in ten (81%) of SMBs are not prepared or remain in the early stages of preparedness for AI-related threats, while nearly a quarter (22%) have yet to implement dedicated protections for AI applications.
The gap is even more pronounced among smaller firms. Among micro businesses, 84% say they are either unprepared or only at an early stage of readiness, with many lacking specific safeguards as AI use grows.
The gaps are pronounced by business size too. The research found that 63% of medium-sized businesses see AI as a business opportunity, but only 23% of small businesses and 9% of micro businesses agree.
For SMB customers, Sage is focused on making cybersecurity more accessible by embedding security into the design of everyday software from the outset, backed by continuous testing, secure coding practices aligned to OWASP standards, and ongoing security training for engineers. Sage also works with industry bodies, partners and government initiatives, including the UK Government’s Software Security Ambassadors Scheme, to support practical, accessible cybersecurity approaches that strengthen resilience across the wider SMB ecosystem.
Methodology
IDC conducted a custom survey of 2,210 SMBs across eight geographies: Canada (300), France (330), Germany (330), Portugal (100), South Africa (150), Spain (200), United Kingdom (300), and United States (500).
Software Security Ambassadors Scheme
Sage is a participant in the UK Government’s Software Security Ambassadors Scheme, led by the Department for Science, Innovation and Technology. The initiative brings together industry leaders to champion the adoption of the Software Security Code of Practice, helping to strengthen software supply chain security and improve cyber resilience across the UK economy.
As part of the scheme, Sage works alongside government and industry partners to promote secure-by-design principles, share best practice, and support the development of practical, accessible approaches to cyber security for businesses of all sizes.
Learn more about the Software Security Ambassadors Scheme here.
Learn more about Trust and Security with Sage here.
Related
This entry was posted on May 20, 2026 at 10:00 am and is filed under Commentary with tags Sage. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Cybersecurity climbs the SMB agenda, as AI pressure exposes resilience gaps
Cybersecurity is considered one of the top strategic priorities for small and medium sized businesses (SMBs) worldwide, but many organizations remain exposed to attacks despite rising investment, according to new research commissioned by Sage, the leader in accounting, financial, HR and payroll technology for SMBs.
The study, conducted by IDC and titled SMBs in the Age of AI: Navigating cyber complexity and building resilience, based on a global survey of 2,210 SMBs, found that over half (52%) rank cybersecurity and data protection among their top business priorities for the next 12 months, second only to growth (59%) and well ahead of scaling AI adoption (33%). Six in ten SMBs (60%) also expect to increase cybersecurity spending over the same period.
Despite this momentum, many SMBs remain vulnerable to cyber-attacks, with one in two experiencing an incident or data breach in the last year. This highlights a resilience gap between SMBs prioritizing cybersecurity and the realities of how effectively it is embedded in day-to-day operations.
The findings point to three gaps holding SMBs back:
AI accelerates pressure on already stretched security
AI adoption is intensifying cybersecurity pressure for SMBs, with readiness lagging behind risk. Eight in ten (81%) of SMBs are not prepared or remain in the early stages of preparedness for AI-related threats, while nearly a quarter (22%) have yet to implement dedicated protections for AI applications.
The gap is even more pronounced among smaller firms. Among micro businesses, 84% say they are either unprepared or only at an early stage of readiness, with many lacking specific safeguards as AI use grows.
The gaps are pronounced by business size too. The research found that 63% of medium-sized businesses see AI as a business opportunity, but only 23% of small businesses and 9% of micro businesses agree.
For SMB customers, Sage is focused on making cybersecurity more accessible by embedding security into the design of everyday software from the outset, backed by continuous testing, secure coding practices aligned to OWASP standards, and ongoing security training for engineers. Sage also works with industry bodies, partners and government initiatives, including the UK Government’s Software Security Ambassadors Scheme, to support practical, accessible cybersecurity approaches that strengthen resilience across the wider SMB ecosystem.
Methodology
IDC conducted a custom survey of 2,210 SMBs across eight geographies: Canada (300), France (330), Germany (330), Portugal (100), South Africa (150), Spain (200), United Kingdom (300), and United States (500).
Software Security Ambassadors Scheme
Sage is a participant in the UK Government’s Software Security Ambassadors Scheme, led by the Department for Science, Innovation and Technology. The initiative brings together industry leaders to champion the adoption of the Software Security Code of Practice, helping to strengthen software supply chain security and improve cyber resilience across the UK economy.
As part of the scheme, Sage works alongside government and industry partners to promote secure-by-design principles, share best practice, and support the development of practical, accessible approaches to cyber security for businesses of all sizes.
Learn more about the Software Security Ambassadors Scheme here.
Learn more about Trust and Security with Sage here.
Share this:
Like this:
Related
This entry was posted on May 20, 2026 at 10:00 am and is filed under Commentary with tags Sage. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.