SMBs adopt AI faster than they secure it, Sage says

Sage has published research suggesting small and medium-sized businesses are adopting AI faster than they are securing it, highlighting a wider readiness gap among the smallest firms.

The IDC study, commissioned by Sage, found that 84% of micro businesses are either unprepared or only just getting started on readiness for AI-related threats. It also found that 44% have no specific security measures in place for AI applications.

Across the broader SMB market, 45% cited insufficient AI security expertise as their biggest barrier. One in two SMBs reported a cyber incident or data breach in the past year, with AI-enabled phishing, vulnerability exploitation and deepfakes among the leading concerns.

The figures point to a mismatch between interest in AI tools and the internal resources needed to manage the risks that come with them. Smaller businesses often face tighter budgets and leaner teams, leaving them exposed as cyber threats become more complex.

US picture

The research also highlighted a mixed picture in the US market, where SMBs are ahead of the global average in moving from cybersecurity awareness to more structured day-to-day practice.

That progress has not always translated into stronger outcomes. Despite a large majority of US SMBs reporting high confidence in managing cybersecurity, 45% still experienced cyber incidents in the past year.

The data adds to a broader debate over whether smaller companies can keep pace with AI adoption without widening existing weaknesses in cyber defence. For many, the challenge is not only awareness of risk, but access to the right expertise and the ability to put controls in place.

Sage linked the findings to growing concern that security issues and capacity constraints are limiting the value SMBs can draw from AI. Smaller businesses are under pressure to balance investment in new tools with the need to protect data, systems and customer trust.

Gustavo Zeidan, chief information security officer at Sage, said the findings show a widening divide between ambition and preparedness in the SMB market. He added that Sage is trying to make security simpler to adopt through built-in safeguards, secure-by-design principles and clearer transparency around data protection and the use of AI.

The study comes as cyber risks affecting smaller firms continue to draw attention from policymakers, insurers and technology suppliers. Smaller businesses have long been seen as vulnerable because they often lack dedicated security staff, formal policies and the scale to absorb the cost of an incident.

AI has added another layer of pressure. Tools that can generate convincing messages, imitate voices or automate attacks have lowered the barrier for criminals, while businesses are experimenting with AI applications that may introduce new data and governance risks if adopted without clear controls.

The report suggests micro businesses are under the greatest strain. With nearly half lacking AI-specific security measures and a large majority still at an early stage of readiness, this segment appears most likely to struggle as AI-related threats become more common.

For the wider SMB sector, the numbers also underline a practical issue for technology adoption. If businesses do not have enough AI security expertise in-house, the pace of deployment may continue to outstrip their ability to assess risk, train staff and respond when incidents occur.

One in two SMBs experienced a cyber incident or data breach in the past year, with AI-enabled phishing cited by 36%, vulnerability exploitation by 32%, and deepfakes by 31% as the top concerns.