CyberBay Survey Report 2025

  • Executive Summary​​​​
  • Key Findings​​​​​
  • Audience + Methodology​​​​​​
  • Full Report of Findings​

    • EXECUTIVE SUMMARY

    We stand at a pivotal moment. AI is accelerating the depth and breadth of connectivity and technological integration in every private sector, government, and academic organization – while at the same time, adoption of forward-looking cybersecurity practices and solutions are lagging. We are, in effect, creating more entry points for bad actors without the safeguards necessary to secure information. Reliable cyber defense is key to protecting our digital infrastructure, and it should be ubiquitous across sectors, from small businesses to multinational enterprises.

    We launched the inaugural CyberBay Survey to learn more about where the gaps are and why stronger cyber defense has not yet been prioritized. We gathered insights from organizations on the most significant challenges they face in cybersecurity; the results show a unified acknowledgement that better, more cost-effective tools and training are needed. Alongside technological concerns, the survey examined nontechnical factors such as policies, education, workplace culture, and organizational processes, which are crucial to the success or failure of security measures. Participants included 203 IT and cybersecurity professionals from Small and Medium-Sized Businesses (SMBs) and public-sector entities.

    Previous studies show that SMBs face the same cyber threats as larger enterprises but often lack the resources, expertise, and capacity to defend themselves effectively. This makes them more vulnerable, particularly given their central role in the global economy, where SMBs account for more than 90 percent of businesses and around 60 percent of global employment (Junior et al., 2023). Despite their importance, these organizations are frequently overlooked in cybersecurity initiatives and encounter persistent challenges in adopting protective measures.

    The 2025 CyberBay survey shows us that both the need for improved cybersecurity education and implementation is clear, as are the obstacles to implementation.

    As the hub of the evolving protective ecosystem, the CyberBay movement brings together stakeholders from across the cybersecurity arena in an effort to prioritize practical, scalable, and human-centered strategies that integrate affordable tools with robust policies, education, and workforce development programs.

    The time for change is now. CyberBay is leading the charge.

    KEY FINDINGS

    • High Cost of Solutions: A significant 80.2% of respondents agree that the majority of existing cybersecurity technology solutions are too expensive, with public-sector organizations feeling this even more emphatically.
    • Integration Challenges: 71.9% believe that most cybersecurity solutions address specific, isolated problems and are not well integrated with other necessary solutions, a sentiment particularly strong in the public sector.
    • Difficulty of Use: 63.7% find that existing cybersecurity solutions are too difficult to use or require too much time for users to become proficient, with public sector organizations again expressing this concern more acutely.
    • Organizational Vulnerabilities: An overwhelming 81.3% agree that many organizations in similar sectors lack appropriate policies, processes, employee behaviors, and culture essential for maintaining a secure IT environment.
    • Cybersecurity Talent Gap: 80.1% agree there are not enough skilled cybersecurity professionals to meet growing organizational needs, with managed service providers (MSPs) and public-sector organizations feeling this most acutely.
    • Hiring Impediments: Internal budget restrictions (41.2%) and the lack of skilled talent supply (24.7%) are identified as the most significant impediments to hiring cybersecurity professionals.
    • Education Deficiencies: A substantial 74.5% believe that the existing undergraduate cybersecurity curriculum is missing important elements, a problem felt more acutely by MSPs. Similarly, 62.9% feel that professional education options for current professionals are also lacking, with MSPs once again highlighting this as a greater issue.
    • Perceived Attack Likelihood: 70.2% disagree with the notion that their organization is unlikely to be a victim of a cyber attack causing serious harm, indicating a strong awareness of cyber threats. So the idea that their organization should take cybersecurity seriously is well understood and permeated across all sectors.
    • Top Risks from a Breach: Financial loss is a major concern across all sectors, while customer/member loss and brand reputation loss are also highly ranked, especially by MSPs.
    • Primary Attack Concerns: Social engineering is the most concerning potential cyber attack for all sectors, followed by infrastructure vulnerabilities and supply chain vulnerabilities.

    AUDIENCE + METHODOLOGY

    The CyberBay Survey was designed to explore the varied perspectives organizations hold on a range of cybersecurity issues, specifically focusing on non-technical factors crucial for organizational success or failure.

    Target Audience: The survey targeted IT and cybersecurity professionals from both the private and public sectors, explicitly focusing on small and medium-sized businesses (SMBs) in contrast to large enterprise accounts. This emphasis is supported by findings indicating that SMBs face unique cybersecurity challenges. The Search for the Cyber Unicorn study has demonstrated that smaller teams and limited budgets restrict the capacity to hire and train inexperienced staff, which increases the demand for improved cybersecurity knowledge and workforce capabilities (Burley et al., 2025). Additionally, recent research shows that SMBs may be more vulnerable to cyber threats due to limited resources, a smaller pool of specialized personnel, and reduced access to advanced security infrastructure.

    Methodology

    • Sample: The study obtained completed surveys from 203 participants.
    • Eligibility: The study pre-screened respondents to ensure they met the specified targeting criteria.
    • Data Collection: The study collected survey responses by telephone and an online form.
    • Study Design: The study used a mixed-methods design integrating quantitative (closed-ended) and qualitative (open-ended) data.
    • Data Analysis:
      • Quantitative: The study applied descriptive statistics (frequencies and percentages).
      • The study conducted a thematic synthesis of open-ended responses to identify recurring patterns and notable insights, analyzing responses verbatim (word for word).
      • Integration: The study used qualitative themes to contextualize and illuminate the quantitative findings.
      • Confidence and Error: The study targeted an 85% confidence level with a 5% margin of error.
    • Areas of Inquiry: The general areas explored in the survey included:
      • Understanding the audience’s experience with cybersecurity solutions.
      • Issues related to talent and culture.
      • Their perspective on cybersecurity education.
      • Their sense of the potential impact of a cybersecurity attack.
        Access to relevant resources.

    Note: Download full report of findings for metrics on respondent distribution by Size of Organization, Industry Sector, and Job Responsibility.

    FULL REPORT OF FINDINGS

    The 2025 CyberBay survey shows us that both the need for improved cybersecurity education and implementation is clear, as are the obstacles to implementation.