May 21
/
Latest News
IDC Survey: SMBs Struggle to Keep Pace as Cyber Threats Accelerate and AI Risks Grow
Small and medium-sized businesses are facing mounting cybersecurity pressure as digital threats expand and AI adoption accelerates. A new IDC survey of 2,200 SMBs across eight global markets reveals a widening gap between rising security awareness and the operational maturity needed to manage modern risks.
According to the findings, 60% of SMBs plan to increase cybersecurity spending in the next year, reflecting growing concern over data protection and AI‑driven threats. Yet many organizations still rely on reactive security practices, with responsibilities often folded into general IT roles rather than assigned to dedicated owners. This lack of structure leaves businesses vulnerable, even as budgets rise.
Operational challenges continue to slow progress. Tool management, staff training, and incident response planning remain difficult for teams already stretched thin. As companies grow, maintaining consistent security processes becomes harder, and many lack the formal governance needed to keep safeguards current.
The threat landscape is also becoming more unpredictable. SMBs report exposure to phishing, social engineering, insider risks, and supply chain vulnerabilities. Nearly half say their biggest concern is simply keeping up with the pace of new threats. AI‑powered attacks, deepfakes, and increasingly sophisticated phishing campaigns are making detection more difficult, especially for organizations with limited security expertise.
AI readiness is emerging as a major weakness. Eighty‑four percent of micro businesses and 65% of small businesses say they are unprepared or only beginning to address AI‑related risks. As companies adopt AI tools faster than they can assess their implications, gaps in governance, visibility, and internal expertise widen.
Vendor oversight is another pressure point. Many SMBs conduct risk reviews only at onboarding or contract renewal, leaving long stretches without monitoring. Smaller businesses are particularly exposed, with many reporting little to no ongoing oversight of third‑party providers. Transparency around data handling, storage, and incident response remains a top expectation for building trust with vendors.
“Many SMBs still believe they are not prime targets, even as attacks grow more sophisticated,” said Joel Stradling, Senior Research Director for European Security at IDC. He emphasized that embedding cybersecurity into AI initiatives and strengthening organization‑wide resilience will be essential for maintaining customer and partner trust.
As digital reliance deepens, SMBs face a critical moment: invest not only in tools but in the governance, accountability, and operational discipline needed to turn spending into real protection. Those that close the gap between ambition and readiness will be better positioned to navigate the next wave of cyber risk.
According to the findings, 60% of SMBs plan to increase cybersecurity spending in the next year, reflecting growing concern over data protection and AI‑driven threats. Yet many organizations still rely on reactive security practices, with responsibilities often folded into general IT roles rather than assigned to dedicated owners. This lack of structure leaves businesses vulnerable, even as budgets rise.
Operational challenges continue to slow progress. Tool management, staff training, and incident response planning remain difficult for teams already stretched thin. As companies grow, maintaining consistent security processes becomes harder, and many lack the formal governance needed to keep safeguards current.
The threat landscape is also becoming more unpredictable. SMBs report exposure to phishing, social engineering, insider risks, and supply chain vulnerabilities. Nearly half say their biggest concern is simply keeping up with the pace of new threats. AI‑powered attacks, deepfakes, and increasingly sophisticated phishing campaigns are making detection more difficult, especially for organizations with limited security expertise.
AI readiness is emerging as a major weakness. Eighty‑four percent of micro businesses and 65% of small businesses say they are unprepared or only beginning to address AI‑related risks. As companies adopt AI tools faster than they can assess their implications, gaps in governance, visibility, and internal expertise widen.
Vendor oversight is another pressure point. Many SMBs conduct risk reviews only at onboarding or contract renewal, leaving long stretches without monitoring. Smaller businesses are particularly exposed, with many reporting little to no ongoing oversight of third‑party providers. Transparency around data handling, storage, and incident response remains a top expectation for building trust with vendors.
“Many SMBs still believe they are not prime targets, even as attacks grow more sophisticated,” said Joel Stradling, Senior Research Director for European Security at IDC. He emphasized that embedding cybersecurity into AI initiatives and strengthening organization‑wide resilience will be essential for maintaining customer and partner trust.
As digital reliance deepens, SMBs face a critical moment: invest not only in tools but in the governance, accountability, and operational discipline needed to turn spending into real protection. Those that close the gap between ambition and readiness will be better positioned to navigate the next wave of cyber risk.
Executive IT Forums, Inc.
Educational Programs on Information Technology, Governance, Risk Management, & Compliance (GRC).
Our Newsletter
Get regular updates on CPE programs, news, and more.
Thank you!
Copyright © 2026 Executive IT Forums, Inc. All Rights Reserved.
Get started
Let us introduce our school
Write your awesome label here.