Cybersecurity climbs the SME agenda as AI pressure exposes resilience gaps

Cybersecurity is considered one of the top strategic priorities for small and medium sized businesses (SMEs) worldwide, but many organisations remain exposed to attacks despite rising investment, according to new research commissioned by Sage, the leader in accounting, financial, human resources and payroll technology for SMEs.

The study, conducted by the International Data Corporation and titled “SMBs in the Age of AI: Navigating cyber complexity and building resilience”, based on a global survey of 2 210 SMEs, found that over half (52%) rank cybersecurity and data protection among their top business priorities for the next 12 months, second only to growth (59%) and well ahead of scaling AI adoption (33%).

Six in 10 SMEs (60%) also expect to increase cybersecurity spending over the same period.

Despite this momentum, many SMEs remain vulnerable to cyberattacks, with one in two experiencing an incident or data breach in the last year. This highlights a resilience gap between SMEs prioritising cybersecurity and the realities of how effectively it is embedded in day-to-day operations.

The findings point to three gaps holding SMEs back:

1. Security is prioritised, but not embedded day-to-day: Only 13% of micro businesses and 21% of small businesses describe their cybersecurity approach as proactive, compared with 48% of medium-sized organisations, leaving smaller firms more vulnerable to disruption.
2. Tools are in place, but not consistently applied: Most SMEs report using baseline protections such as email security (79%), endpoint protection (67%) and regular patching and data backup (71%). Yet, far fewer carry out staff training and phishing simulations (50%), train employees consistently or test incident response plans (36%) – limiting the real-world effectiveness of these investments when incidents occur.
3. Third-party and SaaS risk is expanding faster than oversight: As SaaS platforms become central to operations, security monitoring often remains infrequent. Among micro businesses, 43% do not conduct regular or continuous monitoring of third-party vendors, creating blind spots across increasingly complex digital ecosystems.

AI accelerates pressure on already stretched security

AI adoption is intensifying cybersecurity pressure for SMEs, with readiness lagging behind risk. Eight in 10 (81%) SMEs are not prepared or remain in the early stages of preparedness for AI-related threats, while nearly a quarter (22%) have yet to implement dedicated protections for AI applications.

The gap is even more pronounced among smaller firms. Among micro businesses, 84% say they are either unprepared or only at an early stage of readiness, with many lacking specific safeguards as AI use grows.

The gaps are pronounced by business size, too. The research found that 63% of medium-sized businesses see AI as a business opportunity, but only 23% of small businesses and 9% of micro businesses agree.

For SME customers, Sage is focused on making cybersecurity more accessible by embedding security into the design of everyday software from the outset, backed by continuous testing, secure coding practices aligned to Open Web Application Security Project standards, and ongoing security training for engineers.

Sage also works with industry bodies, partners and government initiatives, including the United Kingdom Government’s Software Security Ambassadors Scheme, to support practical, accessible cybersecurity approaches that strengthen resilience across the wider SME ecosystem.

Gustavo Zeidan, chief information security officer at Sage, says: “Many SMEs are excited about the potential of AI but want simple, practical ways to adopt it securely as threats become more sophisticated. Businesses should not have to choose between innovation and security. By making cybersecurity easier to implement through secure-by-design products, clearer guidance and collaboration across industry and government, we can help SMEs build resilience, innovate securely and grow at pace.”

Joel Stradling, senior research director, European Security at the IDC, adds: “The research suggests many SMEs still believe they are not a prime target for cyberattacks, despite threats becoming more sophisticated and widespread. IDC recommends SMEs embed cybersecurity into AI initiatives from the outset and take an organisation-wide approach to cyber resilience. Businesses that close the gap between growth ambitions and security readiness will be best placed to build long-term digital trust with customers, partners and investors.”