Cybersecurity for Small to Medium Businesses: Discrepancy Between Assumed Readiness and Realpreparation

In a recent worldwide study conducted by TÜV, it was revealed that the cybersecurity landscape for small and medium-sized businesses (SMBs) continues to face significant challenges. The study, titled "The State of IT security in SMBs in 2025," involved 445 professionals and executives holding IT, security, and management roles.

One of the key findings of the study was the persistent issue of poorly balanced budget allocations, with 55% of IT and security teams reporting delays and gaps in implementing new cybersecurity stages. Despite the fact that budgets for cybersecurity are on the rise, they may not be distributed efficiently.

Another concerning issue highlighted by the study is the reliance on manual tools for managing privileged access. As many as 52% of SMBs still use manual tools, despite the fact that such sources are often targeted by ransomware and intrusion programs.

The study also revealed a decrease in the number of SMBs offering training to their staff, with between 2024 and 2025, the number of organizations offering training decreasing by 2%. This is a worrying trend, as ongoing training and awareness programs are crucial in developing a cybersecurity culture and ensuring best practices are followed.

The overall level of confidence has fallen by 9% in 2025, while the number of SMBs stating that they are well prepared has dropped by 8%. This suggests that despite increased budgets and training, SMBs are still struggling to effectively implement and manage their cybersecurity measures.

Enhanced cybersecurity is making progress, but not quickly enough for many organizations. In fact, 40% of respondents use no AI at all within their cybersecurity measures, despite the fact that 71% of organizations intend to use AI for cybersecurity purposes, and 62% believe that AI will play a critical role within five years.

Costs, lack of expertise, concerns regarding confidentiality, and the fear of relying too heavily on AI are barriers that stand in the way of the use of AI in cybersecurity. However, the study highlights that these concerns should not prevent SMBs from adopting AI, as the benefits of doing so far outweigh the risks.

The survey also highlighted six key points concerning the development and effectiveness of the cybersecurity postures of SMBs across the globe. These key points were active within many sectors such as finance, transportation, healthcare, education, commercial, manufacturing, and more.

The study also found that the concern over internal threats increased by 45%, but the number of organizations with a response plan only increased by 5%. This suggests that while SMBs are increasingly aware of the risks posed by internal threats, they are not taking adequate steps to address them.

Despite these challenges, the majority of SMBs take cybersecurity seriously, but struggle to put all the elements in place to strengthen their security posture. In fact, only 20% of SMBs have a plan to counter internal threats, despite the fact that 78% of SMBs are concerned about such risks.

The study concluded that while progress is being made, there is still much work to be done to ensure that SMBs are adequately protected against cyber threats. The full State of IT security in SMBs in 2025 report is available for those who wish to learn more about the challenges faced by SMBs and the steps they can take to improve their cybersecurity posture.

Cybersecurity for Small to Medium Businesses: Discrepancy Between Assumed Readiness and Realpreparation