Half Of SMBs Face Cyber Incidents Despite Rising Security Investment

Cybersecurity is rapidly rising on the agenda of small and medium‑sized businesses, but growing reliance on AI is exposing critical weaknesses in how well they’re actually protected. Many firms remain unprepared for evolving threats despite increased investment and awareness.

IDC conducted a survey that included responses from 2,210 small and medium‑sized businesses across eight countries: Canada, France, Germany, Portugal, South Africa, Spain, the United Kingdom, and the United States. This survey provides a broad global perspective on cybersecurity and AI readiness among SMBs.

According to new research from IDC, more than half of small and medium-sized businesses now consider cybersecurity a key priority, and many are planning to boost their spending to strengthen defenses. Despite this increased focus, about half of these businesses have still faced a cyber incident in the past year.

This report highlights three key weaknesses in SMB cybersecurity. First is a gap between strategy and execution, where many small businesses lack proactive, structured security practices. Second is a tools-versus-usage gap, where basic protections exist but are not backed by employee training or tested response plans. Finally, a growing third-party risk gap is emerging as increased reliance on SaaS platforms and external vendors introduces hidden vulnerabilities due to insufficient monitoring.

AI adoption is adding new cybersecurity risks

IDC highlighted that AI adoption is introducing new layers of complexity and risk that many SMBs are struggling to manage, with preparedness lagging behind the pace of change. Around 81% of these businesses are either unprepared or only partially equipped to handle AI-related threats, and a significant number have yet to implement dedicated safeguards for AI-driven tools and systems.

According to IDC’s research, micro and small firms are significantly less prepared than medium-sized businesses. They are also less likely to view AI as an opportunity, which highlights both resource constraints and risk concerns.

Many SMBs tend to underestimate their exposure to cyber threats and often assume they are not prime targets for attackers. This false sense of security can lead to weaker preparedness and slower adoption of robust cybersecurity measures.

Experts urge businesses to build stronger cyber resilience

Organizations are encouraged to take a more integrated and proactive approach to cybersecurity by embedding it into all aspects of their operations, especially when adopting new technologies like AI. This means moving beyond basic tools and ensuring that security is part of everyday processes, through regular employee training, continuous testing of incident response plans, and stronger oversight of third‑party vendors.

Cybersecurity experts also emphasize the importance of aligning security with business goals, particularly growth and innovation. Companies should incorporate cybersecurity considerations early in their AI strategies, adopt organization-wide resilience practices, and collaborate with industry partners and government initiatives to strengthen their overall defense.