Responses showed many organizations increased security budgets but still report training gaps, unbalanced allocations, and challenges with adopting AI practices.

Based on responses from 445 professionals and executives in IT, security, and management roles at small and medium-sized enterprises (SMEs) across Canada, the US, Europe, and other regions, findings from a February to April 2025 survey on IT security readiness were shared with the media.

The survey was focused on respondents’ perceptions and reported practices regarding cybersecurity posture, including access management, AI use, internal threat mitigation, and organizational training.

First, 71% of respondents indicated a confidence in their ability to handle major cybersecurity incidents, stating they felt prepared. Subsequently in the same survey, when this group was asked whether their organizations had implemented a cybersecurity posture rated as advanced enough to withstand attacks, 22% had affirmed this. This gap persisted across industries in the data, and was more pronounced among respondents further removed from day-to-day IT operations, such as executives, compared to IT staff who reported lower confidence and readiness.

Second, 52% of respondents had indicated that their organizations were still using manual processes such as documents or spreadsheets, a 7% increase over a similar survey conducted in the previous year.

Other findings

Third, interest in AI as a cybersecurity measure was notable. While 71% of respondents had indicated plans to implement it as a tool for threat detection and behavior analysis, 40% reported that they had not yet incorporated any AI technologies into their cybersecurity practices. Also:

  • The proportion of respondents that believed AI would play a critical role over the next five years reached 62%. Barriers to adoption cited in the responses included costs, lack of expertise, confidentiality concerns, and apprehension regarding reliance on AI.
  • 63% of respondents indicated that their organizations had increased their cybersecurity budgets for FY 2025, but 55% reported that these increased funds were not optimally balanced across different needs.
  • 29% of respondents indicated that their organizations had allocated less than 5% of their total budget to cybersecurity, and 25% did not know their respective organization’s allocation percentage.
  • 78% of respondents indicated concern about insider risks such as data theft and sabotage. Of this group, 20% indicated that their organizations had active plans in place to counter such threats. Additionally, 28% of respondents indicated that their organizations did not have a plan for confronting internal threats, or did not consider it a priority.
  • 39% of respondents reported that their organizations provided ongoing training, and 32% reported that awareness training was required of staff; 17% indicated that there were no programs in place to support best practices or promote a cybersecurity-aware workplace culture.
  • 43% of respondents indicated that their organizations experienced at least one cyberattack in the past year, and 31% reported incident detection within the first few minutes.

According to David Hervieux, President and founder, Devolutions, the firm that commissioned the survey, “the perception of security and the true level of security may sometimes be very different” among respondents in SMEs, and gaps can exist between the impression of having a strong posture and the reality of the situation.