Small and medium-sized businesses are deploying AI tools at a pace that their internal security capabilities cannot match, according to research published by Sage and conducted by IDC. The findings are relevant well beyond the accounting software sector — they describe a pattern visible across facilities management, building operations, strata management and club administration: AI is being adopted because it promises efficiency, but the governance structures to manage its risks are often not in place before the tools go live.
What the Research Found
The IDC study, commissioned by Sage, surveyed SMBs across multiple markets and surfaced a consistent readiness gap, particularly among the smallest operators. Key figures from the report include:
- 84% of micro businesses are either unprepared or only just beginning to address AI-related security threats.
- 44% of micro businesses have no specific security measures in place for AI applications.
- 45% of SMBs across the broader market cited insufficient AI security expertise as their single biggest barrier.
- One in two SMBs reported a cyber incident or data breach in the past year.
- AI-enabled phishing was the leading concern at 36%, followed by vulnerability exploitation at 32% and deepfakes at 31%.
The data captures something that practitioners in building operations and facilities management will recognise immediately: the gap between what a tool can do and what the organisation is actually ready to manage. Confidence in cybersecurity does not reliably predict better outcomes — the US cohort reported high confidence yet still recorded a 45% incident rate over the preceding year.
Why This Matters for Facilities, Strata and Club Operators
The organisations Mallen Services works with are not software companies, but they are increasingly technology-dependent. AI-assisted video analytics, automated access control reporting, cloud-based intercom management, BMS dashboards with predictive maintenance flags — these are now common features of modern building security and operations infrastructure. Many of these systems connect to the same networks that carry email, finance applications and HR data.
The threat vectors the Sage research highlights are directly applicable. AI-enabled phishing does not require the attacker to know your industry — a convincing email impersonating a service contractor, an access control vendor, or a strata levy authority is achievable with tools widely available on criminal marketplaces. Deepfakes — synthetic audio or video that impersonates a known person — are increasingly being used in authorisation fraud, where an attacker mimics a building manager or executive to instruct staff to change credentials, transfer funds, or grant physical access.
Vulnerability exploitation remains a persistent concern wherever internet-connected devices are deployed without a structured patching regime. IP cameras, network video recorders, access controllers and building management gateways all represent potential entry points if firmware is not maintained and network segmentation is not enforced.
Practical Controls Worth Prioritising
The research does not prescribe remedies, but the gap it describes — between AI adoption speed and security readiness — points to several practical areas where smaller organisations can reduce exposure without requiring large teams or significant capital outlay:
- Verify before you action. Establish a callback or secondary-channel verification protocol for any request that involves changing system credentials, granting physical access, or approving unusual expenditure — regardless of how legitimate the initial communication appears.
- Know what is connected. Maintaining an accurate device register and network topology map is a foundational control. You cannot patch or segment what you do not know exists. A documented baseline also makes incident response significantly faster.
- Segment operational technology from general IT. Security cameras, access controllers, intercoms and BMS devices should operate on network segments isolated from general office IT. This limits the blast radius if a credential is compromised through a phishing attack on an administrative account.
- Apply firmware updates on a defined schedule. Unpatched firmware in installed security hardware is one of the most common points of compromise. A scheduled review cadence — even quarterly — is considerably better than ad hoc patching.
- Train staff on AI-enabled phishing characteristics. Synthetic emails and voice messages are now convincingly human. Staff who handle access requests, contractor management or financial authorisations should be briefed on verification procedures rather than relying on message plausibility alone.
Mallen’s Take
The Sage research frames this as an SMB issue, but the readiness gap it describes is not unique to small businesses — it applies to any organisation where technology deployment has outpaced governance. The building and facilities sector has seen rapid expansion of networked security and operational technology over the past several years. The same connectivity that enables remote monitoring, cloud video review and automated reporting also expands the attack surface if controls are not deliberately built around it.
The most useful thing facilities managers, strata committees and club operators can do right now is get an accurate picture of what is deployed on their networks and how it is segmented. That is the starting point for every other control. Our Mallen site audit is designed specifically for this — producing a documented device register, network topology map and coverage baseline that gives organisations the foundation they need to manage risk systematically rather than reactively.
AI is not going to slow down, and neither are the criminal techniques being built around it. The organisations that manage this well will be those that put governance structures in place before an incident forces the issue.
Original source: https://securitybrief.com.au/story/smbs-adopt-ai-faster-than-they-secure-it-sage-says