Cybersecurity Is A Serious Concern For The Mid-Market
Ensuring robust cybersecurity is a challenge even for large enterprises, yet many mid-market organisations believe they can handle it alone. New research, conducted via Censuswide, has found that almost half (47%) of businesses in the UK develop cyber strategies internally and express full confidence without seeking external expertise.
This overly ambitious approach ignores the rapid evolution of threats and the needed experience to continually combat them.
In practice, mid-size businesses fail to implement adequate protections. Over half (55%) admitted to gaps in deploying basic firewall and antivirus safeguards, while many do not regularly patch to the latest security standards. Just 37% have an established incident response plan to guide efforts during an active breach.
Additionally, there is an alarming lack of visibility into current security postures. 16% of respondents to the survey do not even understand how their organisation maintains defences day-to-day. Most concerningly is that 2% of mid-market businesses admitted to having no discernible security strategy whatsoever – leaving them in imminent danger.
Though regular awareness training appears a prudent safeguard on paper, typical compliance checklist approaches often fail to influence organisational culture and behaviours meaningfully. Leading experts argue that rather than scheduled cybersecurity training, businesses should emphasise “point-in-time” learning in response to teachable security mistakes. By taking this approach, if an employee clicks a simulated phishing link, timely alerts and education change habits can teach users more than abstract seminars every 90 days.
Cyber Risk: The Blame Game & Poor Patching
Mid-market businesses wrongly assume that cloud providers will cover significant data recovery, legal, and other breach-related expenses in the event of a successful attack. In the Nordics, up to 55% believe their cloud vendor is wholly liable for security incidents. Across EMEA, 40% think providers should even refund the cost of stolen cloud compute usage from exploits like cryptojacking.
In reality, cloud vendors retain very little responsibility for customer security issues. Only 3% of respondents correctly realised providers are not accountable, while the vast majority carry misplaced expectations of full indemnification. This knowledge gap leaves mid-market businesses disastrously exposed to major unbudgeted cyber-related costs.
Poor patching and access management practices further demonstrate strategic complacency. 1 in 6 mid-market organisations admit they do not regularly patch security flaws, and over half report gaps even when implementing basic privileged access controls around their IT environments.
Rather than assume they won’t be breached, mid-market cyber strategies must work to reduce exposure through strong foundational controls. Small steps like aggressive patching can considerably reduce the risk surface. Large steps like implementing threat detection and response provide fuller visibility that can identify intruders faster.
Trickle-down IT turnover
The recent research also found that excessive IT talent turnover further erodes mid-market security postures by draining institutional knowledge. Leadership can hardly align cyber initiatives with business goals when they struggle to source and retain qualified internal personnel.
Among IT staff rated excellent, only 2% stay within mid-market businesses longer than 2 years. More than 1 in 4 depart within just 1-6 months after being hired. And nearly 1 in 10 mid-market organisations admit they have never managed to recruit any staffers exceeding expectations, with Nordic countries faring even worse in talent retention. This level of churn leaves few capable of driving strategic progress.
How to strengthen on a smaller budget
Lacking enterprise-scale security budgets, mid-market businesses require careful examination of cyber risk and return on investment tradeoffs. Yet unclear metrics and misguided assumptions around liability make the constant battle for resources nearly inevitable.
Mature risk and compliance understanding would allow security spending to flex dynamically based on exposure. However, reliance on outdated "best practices" yields predictable, inefficient allocations unrelated to modern threats. Consistently documenting risks in a company risk register and seeking broader consensus is essential so leadership can accurately weigh cyber risks against other funding priorities. The reasoning and mitigation approach behind the documented risks can provide historical context. This could be important in the short term to battle the loss of institutional knowledge being lost through staff churn.
While budgets may hold flat, better education of the broader workforce and leadership about evolving exposure can provide major value. Rather than a compliance checkbox, training should aim to demonstrably improve security behaviours organisation-wide. A clearly defined RACI (Responsible/Accountable/Consulted/Informed) matrix delineates operational control responsibilities both internally and with key partners.
Though small teams and limited budgets create undeniable challenges, major security improvements remain accessible within modest means. New detection and automated response tools allow under-resourced mid-market staff to identify threats earlier and with greater precision. Prioritising speedy patching, multi factor authentication, network segmentation, and behavioural training prudently reduces risk. Leaning more heavily on qualified managed security providers also introduces scalable world-class expertise.
While threats continue advancing at staggering volume and complexity, staying the course on dated security recipes invites disaster. By dispelling lingering misconceptions around liability, focusing resources on foundational defences, and embracing expertise where practical, mid-market cyber strategies can evolve meaningfully without breaking the bank.
Achieving better security requires first acknowledging the widening capabilities gap between modern adversaries and status quo business practices.
Pravesh Kara is Product Director - Security & Compliance at Advania
Image: Unsplash
You Might Also Read:
Half Of British SMEs Have Lost Vital Data:
If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.
- Individual £5 per month or £50 per year. Sign Up
- Multi-User, Corporate & Library Accounts Available on Request
- Inquiries: Contact Cyber Security Intelligence
Cyber Security Intelligence: Captured Organised & Accessible