Sage warns SMBs face cyber risk despite spending rise

Sage has published research showing that many small and medium-sized businesses remain exposed to cyber attacks despite treating cyber security as a strategic priority. IDC conducted the study across 2,210 businesses in eight markets.

More than half of respondents, 52%, said cyber security and data protection were among their top business priorities for the next 12 months, second only to growth at 59%. Some 60% expected to increase cyber security spending over the same period.

Yet the survey found a sharp gap between intent and practice. One in two SMBs said they had experienced a cyber incident or data breach in the past year, suggesting many are still failing to turn spending plans into routine operational discipline.

Readiness gap

The research pointed to a divide by company size. Only 13% of micro businesses and 21% of small businesses described their cyber security approach as proactive, compared with 48% of medium-sized organisations.

The same disparity appeared in attitudes to artificial intelligence. While 63% of medium-sized businesses viewed AI as a business opportunity, the figure fell to 23% among small businesses and 9% among micro businesses.

Across the wider sample, 81% of SMBs said they were either unprepared or only in the early stages of preparedness for AI-related threats. Nearly a quarter, 22%, had yet to put dedicated protections in place for AI applications.

Among micro businesses, the weakness was even more pronounced, with 84% either unprepared or at an early stage of readiness for AI-related risks.

Basic controls

Many businesses reported having baseline protections in place. Email security was used by 79% of respondents, while 67% had endpoint protection and 71% carried out regular patching and data backup.

But those measures were not matched by the same consistency in staff preparation and response planning. Only 50% carried out staff training and phishing simulations, while just 36% tested incident response plans.

The figures suggest many SMBs have bought core tools but have not embedded the regular processes needed to support them. That leaves a gap between technical controls and an organisation's ability to respond when attacks occur.

The survey also highlighted the growing importance of third-party oversight as software-as-a-service tools become more central to daily operations. Among micro businesses, 43% did not conduct regular or continuous monitoring of third-party vendors.

This creates blind spots in supply chains and digital operations, particularly for smaller firms with fewer in-house resources. As dependence on external software and service providers rises, weak monitoring can widen exposure beyond a company's own systems.

UK picture

The UK sample formed part of the wider global study, with 300 British SMBs included in the survey. The UK stood out for moving faster than the global average on AI security, suggesting a more deliberate approach to AI-related risk.

That comes as policymakers continue to press smaller companies to improve basic cyber hygiene. Guidance for smaller firms has increasingly focused on practical defences rather than large-scale spending commitments.

Gustavo Zeidan, Chief Information Security Officer at Sage, said: "Many SMBs are excited about the potential of AI but want simple, practical ways to adopt it securely as threats become more sophisticated. Businesses should not have to choose between innovation and security. By making cyber security easier to implement through secure-by-design products, clearer guidance and collaboration across industry and government, we can help SMBs build resilience, innovate securely and grow at pace."

IDC said the findings showed a persistent belief among many smaller firms that they are unlikely to be targeted, even as attacks become more common and more complex.

Joel Stradling, Senior Research Director, European Security at IDC, said: "The research suggests many SMBs still believe they are not a prime target for cyberattacks, despite threats becoming more sophisticated and widespread. IDC recommends SMBs embed cybersecurity into AI initiatives from the outset and take an organisation-wide approach to cyber resilience. Businesses that close the gap between growth ambitions and security readiness will be best placed to build long-term digital trust with customers, partners and investors."

Baroness Lloyd, UK Cyber Security Minister, said: "Small and medium-sized businesses are under growing pressure from cyber threats, and AI is making that challenge more urgent. But strong cyber resilience does not always mean expensive or complicated action. It starts with getting the basics right.

"That is why the National Cyber Security Centre's Cyber Action Toolkit and our Cyber Essentials scheme are so important. They give smaller firms clear, practical ways to strengthen their defences against common online threats, helping them build resilience and reduce the risk of serious disruption. I urge all SMEs to take up these valuable protections."