SMBs Overconfident in Cybersecurity; SEC Deregulates Amid Rising AI Threats and New Investments

[00:00:02] It's Tuesday, June 17th, 2025 and I'm Dave, so four things to know today. SMBs are dangerously overconfident in their cybersecurity readiness, creating a critical opening for providers who leave strategy, not just tools. Regulatory pullbacks leave a trust vacuum IT providers can fill. DMARC adoption improves phishing defense while AI chaos escalates the security risk. And new investments from Slide, Integris and others are redrawing the lines of stacks.

[00:00:32] Specialization. This is the Business of Tech. A recent global survey highlights a worrying disconnect between small and medium-sized businesses' confidence in their cybersecurity readiness and the actual measures they have in place. The State of IT Security for SMBs in 2025 report from Devolutions reveals that while 71% of SMBs express confidence in handling major cybersecurity incidents,

[00:00:58] only 22% reported having an advanced cybersecurity posture, indicating a significant risk gap. The survey also identifies privileged access management as a critical vulnerability, with over half of the respondents still relying on manual methods to manage sensitive credentials. Additionally, although 71% of SMBs plan to increase their use of artificial intelligence tools for cybersecurity, only 25% are currently using them.

[00:01:26] Budgeting for cybersecurity is on the rise, with 63% of SMBs increasing their security budgets, yet nearly a third allocate less than 5% of their overall IT budgets to security. And they're not alone in the analysis. The Tech Isle SMB and Mid-Market Security Adoption Trends report highlights a significant level of unpreparedness among small and medium-sized businesses, as well as mid-market firms, in the face of evolving cybersecurity threats.

[00:01:55] According to the report, 46% of small businesses lack a security protocol for incidents, and 51% have no formal risk frameworks. The report reveals that 68% of small businesses feel less prepared than their peers, while the financial losses due to security incidents average $1.6 million. Mid-market firms also face challenges, with 34% lacking a security protocol and experiencing higher incident rates at 57%.

[00:02:24] The research indicates a critical shift towards cyber resiliency, with 68% of small businesses and 89% of mid-market firms recognizing the importance of not only preventing attacks, but also recovering quickly from incidents.

[00:02:38] The market for cybersecurity solutions targeted at small and medium-sized businesses is projected to grow significantly, reaching an estimated value of $70 billion by 2034, up from $25 billion in 2024, for data from Exactitude Consultancy. The growth is driven by an increasing frequency of cyber-consultancy. The growth is driven by an increasing frequency of cyber attacks and rising regulatory pressures.

[00:03:01] Key trends include the adoption of cloud-based security solutions and the emergence of zero-trust architecture, which emphasizes continuous verification for accessing networks. Why do we care? We care because the data reveals a dangerous misalignment between perceived and actual cybersecurity readiness among small businesses, posing both a risk to the business themselves and an opportunity for IT service providers to step in with strategic, outcome-focused solutions.

[00:03:29] There's a widening credibility and capability gap in SMB cybersecurity, and that gap is where IT service providers must play. But this isn't a tooling problem, it's a strategic misalignment problem. IT providers that lean into cybersecurity as a business enabler, focusing on continuity, risk posture maturity, and operational recovery, will be the ones to gain trust in long-term contracts. The winners won't just sell protection, they'll sell resilience with accountability.

[00:03:57] Think less, deploy the tool, and more, prove the risk is managed. This is a trust moment, and providers who act like partners, not product pushers, will be the ones SMBs lean on when the inevitable breach comes. Welcome to Comet Backup's club of no excuses. Behind every smooth-running business is an everyday IT hero who refused to settle. Who didn't give up, because finger-pointing doesn't get a company up and running again. Excuses don't restore data.

[00:04:27] When everything's on the line, Comet's powerful backup and recovery solutions put you in control. Fast, secure, and easy to use, Comet protects your client's critical data, so you're always ready for the unexpected. When disaster strikes, be the hero your business needs. With Comet Backup, you're not just saving the data, you're saving the day. Comet Backup. Be the hero. Visit CometBackup.com today to start your free trial. Get $100 free credit when you sign up with the promo code MSPRADIO.

[00:04:56] Because heroes don't wait, they prepare. So among this cyber-awareness landscape, the Security and Exchange Commission is withdrawing proposed cybersecurity regulations for investment companies and advisors that were introduced during the Biden administration. This decision aligns with a broader trend of deregulation under the current SEC leadership, which includes the withdrawal of rules related to artificial intelligence and outsourcing.

[00:05:22] The now canceled regulations would have required investment firms to establish written policies addressing cybersecurity risks and to report significant incidents to the SEC. This move comes after notable data breaches at major firms like Fidelity Investments and Prudential, highlighting the need for robust cybersecurity measures. Industry groups argued that the proposed rules could potentially expose sensitive information to adversaries detracting from actual cybersecurity efforts.

[00:05:49] The National Institute of Standards and Technology has released new guidance on developing zero-trust architectures, offering practical examples to enhance organizational defenses. The guidance, known as Special Publication 1800-35, outlines 19 example implementations designed using commercial technologies, emphasizing that each zero-trust architecture should be tailored to individual organizational needs.

[00:06:14] The initiative follows the 2020 release of Special Publication 800-207, which provided a conceptual overview of zero-trust. According to Alper Kerman, a computer scientist at NIST, these new examples serve as a foundational starting point for organizations looking to construct their own zero-trust systems.

[00:06:33] The report also highlights the importance of continuously evaluating user and device access, particularly in an era of cloud computing and remote work, to minimize risks associated with compromised credentials. The Cybersecurity and Infrastructure Security Agency has issued a warning about the Simple Help-related ransomware, which has been exploiting a vulnerability in the remote access software during a series of attacks targeting utility billing software customers.

[00:07:00] This specific vulnerability, identified as CVE-2024-57727, has been actively leveraged by ransomware gangs since January 2025, according to federal cybersecurity officials. Ransomware operations, including those linked to the Dragonforce ransomware, have targeted large retail chains in both the UK and the US. Why do we care?

[00:07:25] Well, we care because this convergence of regulatory retreat, technical vulnerability, and public-private divergence on cybersecurity reveals an unstable environment where responsibility is being offloaded to the market, while the threat landscape is escalating. Instead of requiring incident reporting and proactive security policies, the SEC appears to be betting on industry self-regulation, a gamble that rarely ends well in security.

[00:07:51] Especially in sectors where reputational risk is high, but long-term liability is diffuse, we've seen historically that minimum compliance doesn't equate to effective defense. Cybersecurity is entering a fragmentation phase. Public agencies signal risk escalation, technical guidance is improving, but political will to enforce accountability is evaporating. That leaves IT service providers and small business in a risky middle ground, more exposed but less supported.

[00:08:21] Smart IT providers will step in where the SEC stepped back, offering managed compliance, risk mitigation, and incident response capabilities as part of a broader resilience offering. Providers who can distill NIST's practical zero trust into customer-ready implementations will win. Regulatory gaps create advisory space. Those MSPs willing to own that space can position themselves not just as technical partners, but as business-critical allies in an era of shifting risk.

[00:08:51] I've got some other security data for you. The Easy DMARC 2025 DMARC adoption report reveals significant advancements in email security, highlighting a dramatic increase in DMARC adoption among top domains, which surged from 27.2% to 47.7% between 2023 and 2025.

[00:09:11] This 75% rise in protected domains reflects a growing awareness of the importance of enforcement policies, with those employing quarantine and reject policies increasing by 50%. The report, based on comprehensive data sourcing, including an analysis of phishing attack patterns and insights from a survey of 980 IT professionals, demonstrates a clear link between national DMARC policies and phishing attack success rates.

[00:09:38] For example, the U.S. saw a reduction in successful phishing delivery from 69% to 14% due to mandatory DMARC requirements, while countries without such mandates, like the Netherlands, experienced a vulnerability increase to 97%. Cybersecurity professionals are facing significant challenges due to the rapid proliferation of generative artificial intelligence applications, which have led to a sharp increase in data security incidents.

[00:10:07] According to a report from Palo Alto Networks, incidents related to data loss prevention more than doubled in early 2025, with generative AI-related security incidents now counting for 14% of all data security incidents across software-as-a-service traffic. Organizations are struggling to manage approximately 66 generative AI applications on average, with 10% of these classified as high-risk.

[00:10:32] The lack of visibility into AI usage, often referred to as shadow AI, complicates monitoring and controlling these tools. Experts warn that the use of unvetted generative AI tools can expose companies to data loss, phishing scams, and compliance risks, necessitating tighter security measures and the implementation of a zero-trust security framework to mitigate the threats.

[00:11:23] Why do we care? Security has been a moving target. Security has always been a moving target. This year, the target isn't just moving, it's multiplying. The providers who can track, measure, and control both legacy and emerging risks will define the next wave of strategic cybersecurity services.

[00:11:47] Business continuity and disaster recovery platform company Slide has secured $25 million in Series A funding to support its growth and innovations aimed at managed service providers. The funding round, led by Base 10 partners with participations from Outsiders Fund and Top Down Ventures, reflects investor confidence in Slide's approach tailored for the managed service provider market.

[00:12:09] Slide, co-founded by former Datto executives Austin McCord and Michael Foss, has rapidly expanded since its launch in February of this year. The company has introduced a backup and disaster recovery appliance built on a cloud-first foundation featuring flash-based storage and native data encryption.

[00:12:27] With this new funding, Slide plans to enhance its platform development and operations to meet increasing demand for its modern solutions, while also announcing the launch of a Canadian data center to cater to local data residency requirements. Ninth Wave has launched a new division, Ninth Wave Managed Services, aimed at accelerating the adoption of open finance capabilities among financial institutions.

[00:12:50] The initiative is designed to help banks deploy essential services like embedded payments and wealth data connectivity in less than 90 days. Steve Schick, a former executive at Amazon Web Services, has been appointed as the head of the new business unit. Shick brings extensive experience in financial services cloud technology, having previously led initiatives focused on cloud security for regulated institutions.

[00:13:15] Ninth Wave's managed services will utilize a methodology that combines technical execution with compliance and user adoption strategies, emphasizing secure and efficient API connectivity across various enterprise resource planning platforms. The company serves over 2,000 institutions and is a partner to seven of the top 10 U.S. banks.

[00:13:36] Integris, a leader in future ready-managed services, has announced the acquisition of TechMD, a premier managed services provider, along with its security division, One Integer Security. This acquisition marks Integris' largest to date and is aimed at expanding the company's service offerings and enhancing customer experiences. Founded in 1986, TechMD has been instrumental in providing technology solutions to small and mid-sized businesses for over 20 years.

[00:14:03] Integris, backed by OMERS private equity, is focused on driving digital maturity in the industry. Ninja One has enhanced its endpoint management capabilities by introducing mobile device management support for Mac OS. The new features include automated patching, enforcing device configurations, and remote support, which aim to simplify compliance and boost team productivity.

[00:14:25] With the integration, Ninja One positions itself as a comprehensive solution for managing diverse device environments in the growing landscape of remote and hybrid work. One Password has announced a strategic collaboration with Amazon Web Services to enhance security tools for artificial intelligence and cloud-native environments, addressing the growing demand from enterprises for comprehensive access management solutions.

[00:14:48] The partnership marks a significant milestone for One Password, which has transformed from a consumer-focused password manager to an enterprise security platform, serving one-third of Fortune 100 companies. In the past 18 months, the collaboration has led to contracts sold through AWS, averaging four times larger than typical deals, with win rates exceeding 50% across all customer segments. Now why do we care?

[00:15:14] We care because these developments show the continued bifurcation of the IT services landscape. On one side, deep specialization and investment in the MSB channel, slide, tegras. And on the other, strategic vertical moves and platform consolidation, 9th Wave, Ninja One, Password. For IT service providers, it represents both a competitive pressure and a new set of tools and partner options, only if adopted with clarity and purpose.

[00:15:41] We're seeing the next phase of stack redefinition, purpose-built, compliance-aware, and automation-driven platforms that reflect today's hybrid, remote, and regulatory IT environments. The market rewards specialization. Slide leans into MSB-native BDR evolution. 9th Wave shows where true vertical alignment looks like. Integris accelerates PE-backed scale with deeper security layers. And Ninja One and One Password reinforce endpoint and identity consolidation.

[00:16:09] For providers, this is both enablement and warning. Stack design is strategy. Those who pick tools based on cost or familiarity risk falling behind. Those who architect around customer business outcomes, security, resilience, compliance, lead the next wave of growth. Are you ready to get your brand in front of the tech leaders shaping the future of managed services?

[00:16:35] Here at the business of tech, we offer flexible sponsorship opportunities to meet your needs. Whether it's live show sponsorship, podcast advertising, event promotion, or custom webinars. From affordable exposure options to exclusive sponsorships, our offerings are designed to fit businesses and vendors of all sizes looking to make an impact.

[00:16:56] Prices start at just $500 per month, making our packages a fraction of typical event sponsorship costs. Be a part of the conversation that matters to IT service providers worldwide. Join us at MSP Radio and amplify your message where it counts. Visit MSP Radio and engage today to explore all the ways we can help you grow. Thanks for listening.

[00:17:26] Today is National Eat Your Vegetables Day, Global Garbage Man Day, and National Apple Strudel Day. Join me for a webinar sponsored by Nerdio, modern endpoint management with Intune, what works and what doesn't. Visit bit.ly slash Nerdio webinar with links in the show notes. The Business of Tech is written and produced by me, Dave Sobel, under ethics guidelines posted at businessof.tech.

[00:17:54] If you've enjoyed the show, make sure you've subscribed or followed on your favorite platform. It's free and helps directly. Give us a review, too. If you want to support the show, visit patreon.com slash MSP Radio and you'll get access to content early. Or buy our Why Do We Care merch at businessof.tech. Have a question you want answered?

[00:18:17] We take listener questions, send them in, ideally as a voice memo or video to question at MSP Radio.com. I answer listener questions live on our Wednesday live show on YouTube and LinkedIn. If you've got a comment or a thought on a story, put it in the comments if you're on YouTube or reach out on LinkedIn if you're listening to the podcast. And if you want to advertise on the show, visit MSP Radio dot com slash engage. Once again, thanks for listening and I will talk to you again on our next episode.

[00:18:49] Part of the MSP Radio Network. And then we will move back and take our comments at the chat. We will not go to us in a positive Knowledge, but we will see all experiences andujędirect from the hands of public and utter혹話 range. But maybe there is a possibility for Prop empreended deep tranquility. Thank you.