Q1 2025 U.K. SME IT Trends Report
Security Takes Precedence for UK SMEs as Tool Sprawl Spirals
Executive Summary
Managing IT today means navigating fragmented ecosystems, ever-evolving security threats, and a minefield of rising costs – the catalyst for which was a significant tax burden that will significantly impact small to medium-sized enterprises (SMEs).
At the same time, UK IT admins within SMEs are under constant pressure to juggle complex device environments, shadow IT risks, and the rapid advance of AI – all while delivering a simple and seamless user experience.
The pace of change can feel relentless. Nearly 90% of UK IT admins are worried about unauthorised apps and devices expanding their attack surface, while 60% are concerned that AI’s rapid rise outpaces their ability to secure against AI-driven threats.
Despite this, nearly half of UK SMEs are worried that implementing stronger security controls may result in poor user experiences.
With IT sprawl overwhelming many teams, 83% of UK IT admins are calling for a unified platform to manage devices, identities, and access, simplifying their increasingly fragmented environments.
Security and SMEs
UK SMEs are under siege: security threats remain the biggest hurdle
For the fourth consecutive iteration of JumpCloud’s SME IT Trends report, security is the biggest business challenge for UK organisations, with 61% saying this in Q1 2025. The latest report reveals that the number of UK SMEs that have suffered a cybersecurity attack has remained consistent, with 45% experiencing an attack in Q1 2025, compared to 44% in Q3 2024.
In Q1 2025, phishing accounted for 53% of cybersecurity attacks suffered by UK SMEs – once again the most prevalent threat vector when compared to Q3 2024. Over a third (37%) of cybersecurity attacks were due to stolen or lost credentials, whilst 30% were due to too many permissions.
Table: The cybersecurity attack my organization faced was due to
| Attack Type | Percentage |
| Phishing | 53% |
| Stolen or lost credentials | 37% |
| Man in the middle (MITM) attack | 16% |
| MFA fatigue/MFA bombing | 15% |
| A breach in a partner’s organization | 27% |
| Too many permissions | 30% |
| Shadow IT | 29% |
| AI-generated attacks | 29% |
These are reflected in the three biggest security concerns that UK SMEs identify – software vulnerability exploits (36%); network attacks (36%); and stolen/shared user credentials (26%). Continually grappling with security threats is why UK SMEs are prioritising investment in cybersecurity tools and services (52%) – more than anything else – in the next six months.
Table: What are the biggest security concerns?
| Concern | Percentage |
| Overly permissive privileges | 11% |
| Multi-factor authentication (MFA) fatigue | 17% |
| Network attack | 36% |
| Software vulnerability exploit | 36% |
| Spear phishing of privileged credentials | 21% |
| Stolen/shared user credentials | 26% |
| Reuse of weak or compromised passwords across different applications | 24% |
| Device theft | 25% |
| Shadow IT | 25% |
| Shared devices among non-employees (family, friends) | 14% |
| Misuse of a privileged account | 15% |
| Use of unsecured networks | 26% |
| Ransomware | 25% |
| Other | 0.3% |
Is user experience sabotaging cybersecurity?
Robust security measures must always be balanced with ease of use and accessibility to business applications. However, with security such a prominent business concern amongst UK organisations, it’s concerning to see that the pendulum has swung in the wrong direction.
Nearly half of UK SMEs (48%) say they are not implementing stronger security measures across their IT stack because these measures generally result in a poorer experience for users.
Ironically, 42% of UK SMEs are not implementing stronger security measures because they already manage too many tools in their IT stack. This is an illustration of the snowball effect that increased tool sprawl across an organisation’s IT team can have on securing businesses and their data.
Table: What has prevented you from implementing stronger security controls?
| Reason | Percentage |
| Additional security measures generally mean poor user experience | 48% |
| Costs – we don’t have the budget | 30% |
| Costs – we can’t hire staff to manage it | 23% |
| We don’t have the expertise | 20% |
| We have too many tools already | 42% |
AI and SMEs
AI: The emerging saviour or a ticking time bomb?
While UK organisations continue to approach AI’s implementation with caution, it is increasingly being recognised as a force for good. The appetite to implement AI initiatives in UK SMEs continues to grow, with 75% looking to implement AI over the next 12 months, an increase on the 66% who had plans to do this in Q3 2024.
Indeed, AI adoption continues to accelerate, with 39% of UK respondents planning to implement AI in the next six months compared to 34% in the Q3 2024 survey and 19% in the survey prior to this. The proportion of UK respondents who said they had no plans to implement AI dropped to 6% in these latest findings from 9% in the previous survey.
This all points to a clear acceleration in AI adoption and organisations recognising its potential. Indeed, when asked if their opinion of AI had changed in the last six months, 34% said that the impact of AI is even greater than they thought it would be, while 32% said the potential impact is the same but moving slower than they thought, a positive drop on the 37% who said this in the last survey.
Table: Our organization has plans to implement AI initiatives for IT over the next:
| Timeframe | Percentage |
| 6 months | 39% |
| 7-12 months | 36% |
| 13-18 months | 18% |
| 19-24 months | 2% |
| We do not currently have any plans to implement AI initiatives | 6% |
Employees are using AI — but who’s in control?
In terms of how organisations are using AI, nearly half (49%) encourage their employees to use GenAI tools like ChatGPT and others. In fact, 48% have developed a policy to help guide employees around AI use, which is encouraging as they try to establish the appropriate guardrails around usage.
However, 38% only allow employees limited access to AI applications and 23% have controls that prevent employees from accessing AI applications.
Table: In terms of AI, my organization:
| Policy/Action | Percentage |
| Encourages employees to use AI tools like ChatGPT or others | 49% |
| Has developed a policy to help guide employees around AI use | 48% |
| Allows employees limited access to AI applications | 38% |
| Has controls that prevent employees from accessing AI applications | 23% |
| Has not developed any policies or restrictions around AI use | 20% |
This is because concerns around AI and its power to outpace UK SMEs’ ability to protect against threats remain an issue, however, this view has softened slightly.
The survey found this percentage has decreased to 60% in Q1 2025 versus 64% in Q3 2024. But in Q1 2025, 29% of cybersecurity attacks were attributed to AI, which was a slight increase from the 25% in Q3 2024.
Table: AI is outpacing my organization’s ability to protect against threats:
| Response | Percentage |
| Strongly disagree | 3% |
| Disagree | 15% |
| Neutral | 22% |
| Agree | 37% |
| Strongly agree | 23% |
Shadow IT and SMEs
The shadow IT crisis: is your company exposed?
Shadow IT continues to pose a problem. In Q3 2024, UK SMEs said they didn’t have the visibility or ability to discover all shadow IT applications used by employees — or that this wasn’t a business priority for them.
In Q1 2025, 55% of UK SMEs have discovered employees using applications outside of those officially managed by IT.
Table: Over the past 12 months, we have discovered applications used by our employees that were not officially managed by IT
| Response | Percentage |
| Yes | 55% |
| No | 43% |
| I don’t know | 2% |
An alarming 83% of UK SMEs estimate that employees are using between one and 20 unsanctioned applications. As a result, concern about shadow IT remains high, with 87% of UK SMEs very concerned or somewhat concerned about its use.
Table: How many unsanctioned applications do you estimate are used by your employees?
| Number of Applications | Percentage |
| None | 14% |
| 1-5 | 46% |
| 6-10 | 29% |
| 11-20 | 7% |
| More than 20 | 4% |
Table: How concerned are you about applications or resources managed outside of IT (i.e., shadow IT)?
| Level of Concern | Percentage |
| Not concerned | 13% |
| Somewhat concerned | 46% |
| Very concerned | 41% |
Tool Sprawl, Passwords, Biometrics and MFA
Tool chaos and password overload: is your IT infrastructure a security nightmare?
Tool sprawl continues to remain high amongst UK organisations. The number of SMEs using between 11-15 tools to manage the employee lifecycle and all resources has slightly increased since Q3 2024, now standing at 19%.
The number of UK SMEs using between five to 10 tools has also increased from 46% in Q3 2024 to 51% in Q1 2025.
Table: How many tools or applications do you/your IT team use to manage the employee lifecycle and the resources they need to do their job? (e.g., onboarding, device management, security tools, directory services, offboarding, help desk, etc.)
| Number of Tools | Percentage |
| 1 | 2% |
| 2-4 | 21% |
| 5-10 | 51% |
| 11-15 | 19% |
| More than 15 | 7% |
Unsurprisingly, 83% of UK SMEs are still calling for a single platform that consolidates multiple solutions into one to enable better-centralised management, security, and control of tools and applications.
Additionally, the number of passwords being used by employees to log in to IT resources continues to increase. 41% of UK SMEs have employees using between six-15 passwords which is an increase from 31% in Q3 2024.
Table: On average, how many different passwords do your employees have to log into their IT resources (devices, apps, networks, files, servers, etc., either on-premises or in the cloud)?
| Number of Passwords | Percentage |
| 1-2 | 17% |
| 3-5 | 39% |
| 6-9 | 25% |
| 10-15 | 16% |
| 16 or more | 3% |
As a result, nine out of 10 businesses say that biometric capability is a key security requirement when purchasing new devices. 85% either agree or strongly agree that their organisation’s security posture would be stronger if they required biometric authentication.
To this point, 62% say that the best tool, application, or process for keeping their organisation secure is biometrics, closely followed by MFA (43%).
Table: My organization’s security posture would be stronger if they required biometrics:
| Response | Percentage |
| Strongly disagree | 4% |
| Disagree | 4% |
| Neutral | 7% |
| Agree | 44% |
| Strongly agree | 41% |
Table: What do you consider the best tools/applications/processes for keeping an organization secure:
| Tool/Process | Percentage |
| MFA (multi-factor authentication) | 43% |
| SSO (single sign-on) | 15% |
| Strong, unique passwords | 35% |
| A password management system | 28% |
| Biometric authentication | 62% |
| Organization-wide cybersecurity policy | 24% |
| Regular employee training/education around cybersecurity best practices | 27% |
| Forced password resets | 21% |
| Implementing Zero Trust controls (conditional access) | 23% |
| Compliance with industry standards or frameworks such as ISO 27001, SOC 2, NIST, etc. | 22% |
SME Security Spending and Staffing Levels
IT budgets are booming, but will it be enough to beat cybersecurity threats?
In the second half of 2024, 68% of UK SMEs expected IT budgets to increase. Interestingly, when looking at 2025, this has shot up to 80% of UK SMEs expecting IT budgets to rise.
Likewise, 76% of UK SMEs expect cyber security budgets to increase in the next 12 months and over half (52%) of UK SMEs are planning to invest in cybersecurity tools and services in the next six months. This was higher than any other investment being planned.
Table: Which areas of IT are you planning to invest in over the next 6 months?
| Area of Investment | Percentage |
| Identity & access management | 23% |
| Device management | 28% |
| SaaS management | 33% |
| Vulnerability management | 23% |
| Zero Trust | 15% |
| IT asset management | 29% |
| AI-related IT tools | 47% |
| Additional IT headcount | 23% |
| Cybersecurity tools and services | 52% |
| Devices or other IT infrastructure | 25% |
| Cloud infrastructure | 46% |
| SaaS or software applications | 36% |
| IT service providers or MSPs | 36% |
| Other | 0.3% |
This increased investment is reflected in the confidence of UK respondents to deal with and financially recover from a cybersecurity attack, which has increased from 73% in Q3 2024 to 77% in Q1 2025.
Despite the current business uncertainty and the change of government, this hasn’t resulted in more anticipated redundancies. In Q3 2024, over two-thirds (69%) of UK SMEs had either experienced layoffs, or anticipated there would be layoffs at their company in the next six months.
In Q1 2025, this remained steady at 66%.
Table: Has your organization gone through layoffs in the last six months?
| Response | Percentage |
| No | 34% |
| Yes, and I do not anticipate more layoffs | 22% |
| Yes, and I anticipate there will be more layoffs over the next six months | 26% |
| Not yet, but I anticipate there will be layoffs over the next six months | 18% |
MSPs and SMEs
MSP adoption skyrockets: are SMEs fully handing over the reins?
Planned MSP investment in the next 12 months has gone up since the previous SME IT Trends report, from 67% in Q3 2024 to 79% in Q1 2025.
In Q1 2025, more UK SMEs (31%) are using MSPs to completely manage their IT programme, including technology, process, and support, compared to 24% in Q3 2024.
Table: To what extent does a managed service provider (MSP) play a role in your IT program?
| Role of MSP | Percentage |
| We do not work with an MSP and don’t plan on it at this time | 9% |
| We are considering an MSP but don’t currently work with one | 16% |
| An MSP supports our internal IT team | 44% |
| An MSP completely manages our IT program, including technology, process, and support | 31% |
Consequently, fewer UK SMEs use MSPs to support internal IT teams (44% in Q1 2025 versus 51% in Q3 2024).
Once again, system security is the primary reason for UK SMEs to use MSPs (53% in Q1 2025 and 52% in Q3 2024). As a result, the majority of UK SMEs (61%) said that cybersecurity is the one aspect they would like their MSPs to manage that they do not manage today.
Table: What tools would you like to see your MSP manage that they do not today?
| Tool | Percentage |
| Google Workspace | 37% |
| SaaS management | 50% |
| Cybersecurity | 61% |
| Compliance and reporting | 38% |
| Expanded device management (Linux, Android, etc.) | 37% |
| None of these | 7% |
Are SMEs letting fear of losing control stop them from unlocking MSP potential?
Consequently, fewer UK organisations use MSPs to support internal IT teams (44% in Q1 2025 versus 51% in Q3 2024). For those UK SMEs not using MSPs, nearly half (43%) say that they do not do so because they prefer to handle IT themselves.
42% of UK SMEs have concerns about how MSPs manage security; a slight increase from Q3 2024 (37%).
Table: We don’t use MSPs because:
| Reason | Percentage |
| They are too expensive | 33% |
| They offer more than what we need | 13% |
| I prefer to handle IT myself | 43% |
| We are too small to be a client even if we wanted one | 13% |
| We’ve outgrown the service offerings they support | 4% |
| We’ve had bad customer service experiences with MSPs in the past | 20% |
| They don’t support the devices, productivity suite, or IT systems that we currently deploy | 15% |
| Other | 3% |
Final Thoughts
UK SMEs are at a crossroads with tension between security, innovation, and control in the age of uncertainty
As UK SMEs navigate an increasingly complex landscape, three clear themes emerge: security threats continue to escalate, AI adoption is accelerating, and reliance on MSPs is growing.
The need for robust cybersecurity has never been more urgent—yet businesses are torn between securing their IT and maintaining a seamless user experience. While AI promises transformative potential, the risks it poses demand careful management and oversight. Meanwhile, the surge in MSP usage reflects a shift towards outsourcing IT management, but concerns over control and security remain a significant hurdle.
In this environment, SMEs must act decisively. Investing in integrated security solutions, adopting AI with caution, and embracing managed services with a clear strategy are no longer optional—they are essential for survival. The question is not whether to innovate, but how to do so while maintaining control and safeguarding the business. The future belongs to those who can balance growth and security, with resilience at the core of their strategy.
Methodology:
JumpCloud surveyed 300 IT decision-makers in the UK, including managers, directors, vice presidents, and executives. Each survey respondent represented an organisation with 2,500 or fewer employees across a variety of industries. The online survey was conducted by Propeller Insights, from 4 November 2024 to 11 November 2024.
JumpCloud.
JumpCloud® delivers a unified identity, device, and access management platform that makes it easy to securely manage identities, devices, and access across your organization. With JumpCloud, IT teams and MSPs enable users to work securely from anywhere and manage their Windows, Apple, Linux, and Android devices from a single platform.