Small and medium-sized businesses (SMBs) around the world are increasing cybersecurity investment at a meaningful pace, but a new global study commissioned by Sage and conducted by IDC found spending intent is outrunning execution, leaving millions of businesses exposed to threats they have acknowledged, but not yet operationalized a response to.
The IDC InfoBrief “SMBs in the Age of AI: Navigating Cyber Complexity and Building Resilience,” published in May 2026 and based on a survey of 2,210 SMBs across eight markets, identifies a structural gap between cybersecurity as a boardroom priority and cybersecurity as a daily business discipline.
For technology executives and ERP decision-makers operating in the SMB segment, the findings carry specific and immediate implications for how AI adoption, vendor selection and platform governance should be approached.
Increased Security Investment is Not Translating Into Resilience
The headline finding is a study in organizational contradiction. Fifty-two percent of SMBs rank cybersecurity and data protection among their top priorities for the next 12 months, placing it second only to business growth at 59% and well ahead of scaling AI adoption at 33%. Six in 10 SMBs expect to increase security spending in the same period. However, half of SMBs experienced a cyber incident or data breach in the past year, and the gap between investment intent and operational readiness is widest among small organizations.
Only 13% of micro businesses and 21% of small businesses describe their cybersecurity approach as proactive, compared with 48% of medium-sized organizations. For 38% of SMBs, cybersecurity responsibilities remain loosely defined and embedded within the broader IT function rather than governed by clear ownership, formal review cycles or documented processes.
The research identifies this governance deficit as the primary reason increased spending does not consistently produce stronger preparedness.
The tool coverage data reinforces the point. Most SMBs report using baseline protections such as email security (79%), regular patching and data backup (71%) and endpoint protection (67%).
However, only half carry out staff training and phishing simulations, and just 36% test incident response plans, limiting the real-world effectiveness of those investments when incidents do occur. For technology executives deploying ERP or financial platforms in SMB environments, this means the systems are often more secure than the human processes surrounding them.
Analysis
What This Means for ERP Insiders
Secure-by-design architecture is now an SMB ERP procurement baseline.As 81% of SMBs lack AI security readiness and cannot close that gap independently, ERP vendors that embed security and compliance controls natively will win on trust.
AI Adoption is Accelerating Faster Than Security Readiness
The research is clear on the AI dimension: 81% of SMBs are not prepared or remain in the early stages of preparedness for AI-related threats, and 22% have not yet implemented dedicated protections for AI applications at all.
The gap is steepest among micro businesses. In that segment, 84% say they are either unprepared or at an early stage of AI security readiness, compared with just 16% of medium-sized organizations.
The asymmetry extends to AI as a business opportunity: 63% of medium-sized businesses see AI as an opportunity, while only 23% of small businesses and 9% of micro businesses agree. The research attributes this not to a lack of ambition but to a lack of confidence in security controls and governance infrastructure.
The top AI security challenges SMBs identify are insufficient internal AI security expertise (45%), implementing strong data governance and security (41%) and keeping up with new AI threats and vulnerabilities (36%).
Those three challenges form a compounding problem:
- Without expertise, governance programs stall.
- Without governance, AI tool usage outpaces oversight.
- Without oversight, organizations cannot track threat exposure as it evolves.
For ERP vendors and implementation partners building AI features into platforms deployed in SMB environments, the research signals secure-by-design architecture is not a competitive differentiator. It is the baseline expectation customers cannot currently meet on their own.
Analysis
What This Means for ERP Insiders
Third-party SaaS monitoring gaps create urgent partner governance obligations for ERP ecosystems. With 43% of micro businesses conducting no continuous vendor monitoring, ERP platforms and their ISV partners must treat transparent, auditable security evidence as a commercial and reputational prerequisite for SMB market access.
Third-Party SaaS Risk Has Outgrown SMB Monitoring Capacity
The most structurally significant finding for ERP technology executives is the scale of unmonitored third-party risk across SMB digital ecosystems.
SaaS platforms are now central to operations for most SMBs. Yet only 13% of SMBs conduct continuous automated monitoring of third-party SaaS vendor security, 28% conduct annual or semi-annual reviews, 39% check only occasionally or when issues arise, and 19% conduct security reviews only at onboarding.
Among micro businesses, 43% do not conduct regular or continuous monitoring at all, creating blind spots across supply chains and digital workflows that are difficult to detect until disruption occurs.
The research identifies what SMBs actually trust when assessing third-party vendors: 47% prioritize independent security certifications such as ISO 27001 or SOC 2, 42% look for clear data residency and retention terms, 33% require incident response SLAs and breach notification commitments, and 27% value third-party penetration test summaries.
For ERP vendors and independent service vendors (ISVs) serving SMB markets, this hierarchy is an explicit product and go-to-market signal. Certifications and data handling transparency are the primary trust mechanisms, not AI-specific assurance claims smaller organizations cannot evaluate without specialist expertise.
“Businesses that close the gap between growth ambitions and security readiness will be best placed to build long-term digital trust with customers, partners and investors,” said Joel Stradling, senior research director of European Security at IDC in a press release.
Sage’s response to the findings centers on embedding security into product design from the outset. This aligns with Open Worldwide Application Security Project (OWASP) secure coding standards. It helps strengthen identity and access controls across its platforms and participating in the UK Government’s Software Security Ambassadors Scheme to extend accessible cybersecurity practices across the broader SMB ecosystem.
“Businesses should not have to choose between innovation and security,” said Gustavo Zeidan, CISO at Sage. “By making cybersecurity easier to implement through secure-by-design products, clearer guidance and collaboration across industry and government, we can help SMBs build resilience, innovate securely and grow at pace.”
Analysis
What This Means for ERP Insiders
AI adoption in SMB ERP will be gated by governance infrastructure. Research showing only 9% of micro businesses view AI as an opportunity signals that ERP vendors must lead with embedded safeguards, clear data handling policies and practical AI onboarding guidance to accelerate confident adoption at scale.
