Small and medium-sized businesses are placing cyber security higher on the strategic agenda than ever before — yet many remain operationally underprepared as AI adoption, SaaS dependency, and third-party risk reshape the threat landscape.
That is one of the central findings emerging from new global research commissioned by Sage and conducted by IDC, which surveyed more than 2,200 SMBs across North America, Europe, and South Africa.
According to the study, cyber security and data protection now rank among the top business priorities for SMBs over the next 12 months, second only to growth initiatives. At the same time, six in ten respondents expect to increase cyber security spending during that period.
The shift reflects a broader reality confronting smaller organisations: digital transformation is accelerating faster than operational resilience.
AI Is Raising the Stakes for SMB Security
For many SMBs, AI adoption is no longer viewed as an experimental initiative. Increasingly, AI tools are becoming embedded within operational workflows, customer engagement, finance, HR, and productivity environments.
But while AI adoption is moving quickly, organisational readiness appears to be lagging behind.
The IDC research found that more than 80% of SMBs are either unprepared or still in the early stages of readiness for AI-related cyber threats. Nearly a quarter have not yet implemented dedicated protections for AI applications at all.
The challenge is particularly visible among smaller organisations with limited internal security resources.
While medium-sized businesses are beginning to approach AI as a strategic opportunity, many micro and small businesses continue to struggle with the operational realities of securing increasingly complex digital environments.
This widening maturity gap is becoming one of the defining cyber security issues facing the SMB market.
Security Investment Does Not Always Translate Into Resilience
The research also highlights a growing disconnect between cyber security investment and day-to-day operational execution.
Most SMBs report deploying baseline protections such as email security, endpoint protection, patch management, and data backup processes. Yet significantly fewer organisations conduct regular employee training, phishing simulations, or incident response testing — areas that often determine how effectively businesses respond during real-world attacks.
In practice, many SMBs appear to be building technical controls without embedding security into operational culture.
That distinction matters increasingly as attacks become more sophisticated, automated, and AI-assisted.
One of the more notable findings is that only a relatively small percentage of micro and small businesses describe their security posture as proactive. For many organisations, cyber security remains reactive rather than continuously operationalised.
SaaS Expansion Is Creating New Blind Spots
The report also points to another growing concern across the SMB ecosystem: third-party and SaaS-related risk.
As organisations adopt larger numbers of cloud-based applications and connected operational platforms, vendor oversight is becoming harder to maintain consistently — particularly for businesses without dedicated cyber security teams.
Among micro businesses surveyed, a significant portion reported not conducting regular or continuous monitoring of third-party providers.
This creates what many security analysts increasingly describe as “visibility fragmentation” — where organisations rely on expanding networks of external software and services without maintaining equivalent levels of governance, monitoring, or risk assessment.
For SMBs, this challenge is becoming increasingly difficult to separate from broader digital transformation efforts.
Cyber Resilience Is Becoming a Business Continuity Issue
The findings reinforce a broader shift occurring across enterprise technology markets: cyber security is no longer being treated purely as an IT function.
Instead, resilience is becoming directly connected to operational continuity, customer trust, regulatory exposure, and long-term business scalability.
“Many SMBs are excited about the potential of AI but want simple, practical ways to adopt it securely as threats become more sophisticated,” said Gustavo Zeidan.
IDC’s Joel Stradling added that many SMBs still underestimate how exposed they are becoming as attacks grow more sophisticated and widespread.
The challenge for smaller organisations is that the pressure to modernise is unlikely to slow down. AI adoption, SaaS expansion, cloud migration, and automation initiatives are continuing to accelerate simultaneously.
For many SMBs, the question is no longer whether cyber security matters strategically.
It is whether operational resilience can evolve quickly enough to keep pace with digital transformation itself.
Source: Sage report, with research and analysis by IDC, SMBs in the age of AI: Navigating cyber complexity and building resilience, 18 May 2026.
ERP News Editorial Team
The ERPNews Editorial Team covers global developments in ERP (Enterprise Resource Planning), enterprise software, cloud platforms, AI, automation, and digital transformation, providing independent news and editorial analysis for senior business and technology leaders. Our reporting focuses on market signals, strategic shifts, and enterprise impact across the ERP and enterprise technology ecosystem.
For editorial inquiries, please contact:
📩 [email protected]
