Home
You’re currently viewing our content for All Regions.
You can switch to a different region:
June 5, 2025
As engines of growth and heartbeats of nations, small and medium-sized businesses (SMBs) represent the backbone of many economies.
Whether in Australia and New Zealand – where SMBs make up approximately 97% of the ecosystems – or in Singapore (99%) or Malaysia (97%), the power of this business group cannot be understated.
Yet this backbone renowned for robustness and resilience is at risk of breaking.
The lazy one-line explanation is to state that this critical industry segment is no longer flying under the radar of cyber criminals – now considered worthwhile targets. But such surface-level summarisation is well-known and widely accepted.
The problem lies not in cyber security awareness – that is sky-high among SMBs – rather in readiness and execution.
According to the 2025 State of SMB Cybersecurity Report – published by CrowdStrike – 94% of SMB leaders are either “somewhat” or “very” knowledgable about cyber threats. A large majority (83%) also report having a cyber security plan in place.
On paper, the penny has dropped.
In reality however, strategies are either sub-par to begin with or lack the required level of implementation to be effective.
Based on the research, businesses with security plans were just as likely to fall victim to breaches (25%) as those without (24%). This parity challenges the “dangerous misconception” that having a plan is the same as being prepared.
“SMBs are increasingly aware of the cyber risks they face but remain vulnerable to modern threats,” observed Lisa Campbell, Vice President of SMB at CrowdStrike.
“Many know they need stronger protection but are held back by limited time, resources and expertise. They need solutions that are affordable and effective, without adding complexity – so they can turn awareness into action.”
An example of the mismatch between awareness and execution is phishing, which remains a leading attack vector across businesses of all sizes and industries – evidenced by a 442% increase in voice phishing between the first and second half of 2024.
Therefore without regular education, Campbell suggested that employees are “easy targets”.
Yet despite this, only 42% of SMBs provide regular employee training — a key component to cyber security literacy and knowledge and mission-critical to an effective cyber security strategy.
“SMBs face growing pressure from modern cyber threats but lean teams and complex tools often hold them back,” Campbell added.
As stated in the report, most SMBs continue to rely heavily on outdated tools. Commodity firewalls (91%) and traditional anti-virus (70%) remain some of the most common solutions in use, even as modern threats shift toward file-less malware, credential theft and zero-day exploits.
Only 11% of respondents reported using AI-powered tools to defend against today’s AI-driven attacks.
For Campbell, this highlights a “dangerous disconnect” between the tools SMBs depend on and the evolving threats targeting them.
Awareness failing to translate into execution
The consequences of a cyber attack remain clear and devastating for SMBs – financial losses, reputational damage, legal liabilities and even business closure.
Even though the stakes are high, many SMBs continue to operate with underinvestment in cyber security measures. This disconnect exposes a critical weakness in a digital economy in which remote work, cloud services and online transactions are the norm.
Readiness among SMBs is far from uniform in the context of cyber security, with a significant shift at the 50-employee mark. Below this threshold, most SMBs lack formal plans and investment – above it, readiness begins to scale.
The SMB security divide is most evident among micro-businesses with fewer than 10 employees, according to the research. Only 47% of these businesses have a cyber security plan while more than half spend less than 1% of their total budget on security.
Furthermore, mid-sized SMBs (51-149 employees) are the most likely to say their budget is either “not sufficient” (38%) or that they are “unsure” (18%) about whether it meets their needs.
As Campbell explained, “they’re caught between growing risk and limited internal resources”.
While over 80% report having security plans, only one in five allocate more than 6% of their budget to cyber security.
In other words, this sub-section of SMBs are drawing attention from potential adversaries but are not mature enough to scale security effectively.
By contrast, larger SMBs (150-249 employees) show stronger, more advanced security postures. Nearly 90% of these businesses have formal security plans and almost half (45%) allocate more than 6% of their budget to security.
Notably, this group of businesses are also more than twice as likely to use AI-powered tools than smaller businesses.
Cost and choice problems persist
For many SMBs, the biggest barrier to stronger cyber security isn’t a lack of awareness – it’s a lack of resources.
Cost is the most commonly cited obstacle to adopting advanced security tools, with 66% of SMBs naming it as their top concern. Just 7% of all SMBs say their cyber security budget is “definitely sufficient”.
Although 67% of SMBs prioritise cost when choosing cyber security tools, only 57% focus on protecting against advanced threats. This emphasis on affordability over effectiveness often results in false savings where lower- cost solutions fail to deliver real protection, leaving businesses exposed to expensive breaches.
Extracting the most value from available funds is a challenge for SMBs. Two in five SMBs without a cyber security plan also lack in-house expertise, and over a quarter of those without a plan still don’t view cyber security as a top business priority.
Even when the intent is there, limited budgets and a lack of subject matter expertise lead to hard trade-offs that result in poor decision-making and weak cyber security execution, leaving critical systems exposed to fast-moving threats.
Without dedicated security teams, many SMBs rely heavily on general IT staff (70%) or outsourced providers (21%).
“As a result, security tools must be easy to use for general IT staff and look and feel like the standard software-as-a-service (SaaS) solutions these teams use to run the rest of the business,” Campbell added.
Based the research, the top 5 solution decision factors among SMBs are:
In addition to cost, SMBs remain hamstrung by choice and under-supported on strategy.
According to findings, 50% of SMBs feel overwhelmed by the number of cyber security tools on the market and nearly 70% rely on third-party guidance to inform buying decisions.
Inform your opinion with executive guidance, in-depth analysis and business commentary.
