Survey deep dive: Is your SMB using spreadsheets for PAM? You’re not alone — or secure

We recently published the report for the Devolutions State of IT Security in SMBs in 2024-25 Survey. While there are many interesting findings, one of the most important — and troubling — insights is about how SMBs are handling privileged access.

On the positive side, some SMBs have implemented reliable and effective privileged access management (PAM) tools, which significantly strengthen their cybersecurity profile, enable their governance and compliance obligations, and reduce their risk. But on the negative side, many SMBs have not yet taken this essential step. Clearly, something is holding them back. But what could it be?

New series

To answer this pivotal question, we are launching a new 4-part series that dives deep into the survey report and explores the key reasons why many SMBs still rely on inefficient and insecure methods for managing access to their most sensitive assets.

We kick off our series below with one of the most startling and concerning discoveries from the entire survey — one that is placing many SMBs at far greater risk than they realize.

Spreadsheets for PAM: Common? Yes. Secure? No!

Despite the growing awareness of privileged access as a critical risk surface, the survey report revealed that 52% of SMBs still rely on manual tools like spreadsheets to manage sensitive credentials.

It is not difficult to grasp why many SMBs take this approach. Spreadsheets are common and familiar, and routinely used for all kinds of work-related tasks and functions — everything from budget forecasting to expense tracking. Unfortunately however, spreadsheets and PAM are not a good pairing.

10 reasons why using spreadsheets for PAM is a mistake

Below, we highlight 10 reasons why using spreadsheets for PAM is unsafe, inefficient, and ineffective.

1 - Highly insecure

Spreadsheets inherently do not support the robust security features that are necessary to safeguard sensitive data such as passwords and access keys. They lack encryption, granular access controls, secure sharing, and alerting.

And what about securing a spreadsheet with a password? This (perceived) protection is no match for today’s cybercriminals. Simply put: spreadsheets were never designed to function as a legitimate password manager and vault. Using them as such may be common, but it is staggeringly unsafe.

2 - No audit trail

Spreadsheets do not support comprehensive audit trails, which makes it impossible to see who accessed what and when. This impedes user management and compliance efforts (more on this in the next reason).

3 - Compliance challenges

Many SMBs are facing (or will soon face) stringent secure control requirements regarding privileged access, such as those imposed by legislators, regulators, and insurance companies. Spreadsheets do not support this obligation, because as mentioned they were never designed as IT security tools.

4 - Hinders scalability

As SMBs evolve, their datasets and access management requirements get larger and more complex. Using spreadsheets for PAM is an obstacle to growth rather than an enabler. Instead of having greater visibility and more control, SMBs can struggle with poor data hygiene and inconsistent application of standards and rules — ultimately leading to more risk and less security.

5 - Prone to error

A spreadsheet joke making rounds goes like this:

Person 1: “The glass is 1/2 full.” Person 2: “The glass is 1/2 empty.”

Spreadsheet: “The glass is January 2.”

Amusing, huh? Well, what isn’t funny is just how prone to data error spreadsheets are; both those caused by formatting and formula rules (including defaults that nobody recalls setting in the first place), as well human errors. When it comes to controlling and managing something as critical as PAM, these errors are more than irritants. They are risks that can hinder productivity and increase vulnerability.

6- No advanced PAM functionality

Spreadsheets do not support advanced PAM functions such as automated password rotation, secure password injection, session monitoring, integration with other systems in the environment, and more. These functions not only make PAM far easier and more efficient, but they increase visibility, security, control, and governance.

7 - Formula headaches

How many times have we gazed in horror at a spreadsheet that is riddled with so many formulas and configurations, that even the smallest change — or even accidental adjustment — could bring it all crashing down like a house of cards? Sadly, this is the reality and risk that many SMBs face on a daily basis with their spreadsheet (or perhaps multiple spreadsheets) containing passwords and other sensitive data. It is just a matter of time before something goes wrong.

Plus, there is always the fear that the resident “spreadsheet guru” who cobbled it all together over the years will go on extended leave or quit, leaving behind a digital monster that nobody can tame. A legitimate PAM solution helps SMBs avoid this scary fate.

8- Version control nightmares

Spreadsheets that are used to store passwords are constantly being updated (or at least, they should be). The problem is, however, that multiple people might be allowed to make these changes. If so, then tracking updates is a messy, tedious, and possibly impossible task. It is especially frustrating for users who need to access passwords from remote locations. When the data in the spreadsheet is wrong, they must scramble to get the right information — often in front of an unimpressed client or customer!

A comprehensive PAM solution puts an end to version control nightmares, because everyone is always viewing the same information that is stored in a centralized location. And if something has to be adjusted, then logging and tracking changes is clear — compared to trying (and often failing) to navigate through and make sense of a spreadsheet’s convoluted version history; one that treats moving a comma as significant as changing a password.

9 - De-provision issues

One of the core requirements of secure and standardized PAM governance is de-provisioning risky and dormant accounts. Spreadsheets make this fundamental task difficult and tedious. The result is greater vulnerability and ongoing administrative headaches.

10 - Could promote “shadow IT”

Last but certainly not least, one of the biggest risks that all organizations face is “shadow IT.” This refers to the use of unauthorized software, applications, or services without the explicit knowledge and approval of the IT department. Gartner predicts that by 2027, 75% of employees will acquire, modify, or create technology outside IT’s visibility, up from 41% in 2022.

End users who are fed up with spreadsheets because they are outdated, disorganized, or time consuming to deal with (or all of the above) may start using their own password management tools and apps. While the motive for this is understandable, the result is a vulnerability that puts data at risk, and could undermine governance standards and compliance requirements.

The way forward

Spreadsheets have been around for decades, and they will be around for decades longer. And there are many valid reasons why. For many workplace tasks, spreadsheets are effective and efficient (and let’s not overlook the glory of the “auto sum” button that, alas, makes all of our math teachers who spent so much time and effort educating us shake their head in disappointment).

However, when it comes to storing and sharing passwords, as well as managing and controlling access to privileged accounts, using spreadsheets is a mistake. Actually, make that 10 mistakes, as we just discussed.

The way forward is clear: SMBs that are still using spreadsheets (and other manual processes) should start their journey with a lightweight PAM solution that integrates with their stack and supports just-in-time access, session logging, and policy enforcement — without a full-time SysAdmin.

Devolutions’ suite of workforce password management solutions fit this requirement perfectly. The trio of Devolutions Workspace, Devolutions Hub, and Devolutions Server enable SMBs to:

• Manage credentials: Securely store and share passwords across the organization

• Enforce security: Safeguard sensitive data by implementing authentication policies and multifactor authentication (MFA)

• Streamline access: Enable users to swiftly access authorized accounts with single sign-on and cross-platform support

Just as importantly, Devolutions’ workforce management solutions are designed for SMBs. There is no costly overhead or needless complexity. Our solutions make sense strategically, operationally, and financially.

Championship pedigree

We are also pleased to note that Devolutions was recently named a 2025 Champion in the PAM Emotional Footprint report by Info-Tech Research Group. The report quantifies user experience with respect to value provided by a product, and strength of the relationship. The result is a “Net Emotional Footprint” score that represents overall sentiment. Devolutions achieved a perfect Net Emotional Footprint score of +100, and we were one of only a few vendors to receive 100% positive feedback with zero negative sentiment.

Learn more & next steps

To learn more and say goodbye to spreadsheets — at least as far as PAM is concerned — contact us today at sales@devolutions.net.

We also invite you to explore our all-new Starter Pack, which provides our workforce management solutions (and more) for up to five users. Click here to learn more and begin a free trial.

Part 2 is on the way

In the next installment of this series, we will address another obstacle that according to the survey report is blocking some SMBs from adopting a comprehensive PAM solution: the belief that they are “not big enough yet to need PAM.”

We will explore why this view is mistaken — and what SMBs should understand and do to boost security across their organization, without breaking their budget or bogging down their administration. Stay tuned!