Cybersecurity Is A Serious Concern For The Mid-Market

Ensuring robust cybersecurity is a challenge even for large enterprises, yet many mid-market organisations believe they can handle it alone. New research, conducted via Censuswide, has found that almost half (47%) of businesses in the UK develop cyber strategies internally and express full confidence without seeking external expertise.

This overly ambitious approach ignores the rapid evolution of threats and the needed experience to continually combat them. 

In practice, mid-size businesses fail to implement adequate protections. Over half (55%) admitted to gaps in deploying basic firewall and antivirus safeguards, while many do not regularly patch to the latest security standards. Just 37% have an established incident response plan to guide efforts during an active breach. 

Additionally, there is an alarming lack of visibility into current security postures. 16% of respondents to the survey do not even understand how their organisation maintains defences day-to-day. Most concerningly is that 2% of mid-market businesses admitted to having no discernible security strategy whatsoever – leaving them in imminent danger.

Though regular awareness training appears a prudent safeguard on paper, typical compliance checklist approaches often fail to influence organisational culture and behaviours meaningfully. Leading experts argue that rather than scheduled cybersecurity training, businesses should emphasise “point-in-time” learning in response to teachable security mistakes. By taking this approach, if an employee clicks a simulated phishing link, timely alerts and education change habits can teach users more than abstract seminars every 90 days. 

Cyber Risk: The Blame Game & Poor Patching

Mid-market businesses wrongly assume that cloud providers will cover significant data recovery, legal, and other breach-related expenses in the event of a successful attack. In the Nordics, up to 55% believe their cloud vendor is wholly liable for security incidents. Across EMEA, 40% think providers should even refund the cost of stolen cloud compute usage from exploits like cryptojacking. 

In reality, cloud vendors retain very little responsibility for customer security issues. Only 3% of respondents correctly realised providers are not accountable, while the vast majority carry misplaced expectations of full indemnification. This knowledge gap leaves mid-market businesses disastrously exposed to major unbudgeted cyber-related costs.

Poor patching and access management practices further demonstrate strategic complacency. 1 in 6 mid-market organisations admit they do not regularly patch security flaws, and over half report gaps even when implementing basic privileged access controls around their IT environments. 

Rather than assume they won’t be breached, mid-market cyber strategies must work to reduce exposure through strong foundational controls. Small steps like aggressive patching can considerably reduce the risk surface. Large steps like implementing threat detection and response provide fuller visibility that can identify intruders faster.

Trickle-down IT turnover
The recent research also found that excessive IT talent turnover further erodes mid-market security postures by draining institutional knowledge. Leadership can hardly align cyber initiatives with business goals when they struggle to source and retain qualified internal personnel. 

Among IT staff rated excellent, only 2% stay within mid-market businesses longer than 2 years. More than 1 in 4 depart within just 1-6 months after being hired. And nearly 1 in 10 mid-market organisations admit they have never managed to recruit any staffers exceeding expectations, with Nordic countries faring even worse in talent retention. This level of churn leaves few capable of driving strategic progress.

How to strengthen on a smaller budget
Lacking enterprise-scale security budgets, mid-market businesses require careful examination of cyber risk and return on investment tradeoffs. Yet unclear metrics and misguided assumptions around liability make the constant battle for resources nearly inevitable.

Mature risk and compliance understanding would allow security spending to flex dynamically based on exposure. However, reliance on outdated "best practices" yields predictable, inefficient allocations unrelated to modern threats. Consistently documenting risks in a company risk register and seeking broader consensus is essential so leadership can accurately weigh cyber risks against other funding priorities. The reasoning and mitigation approach behind the documented risks can provide historical context. This could be important in the short term to battle the loss of institutional knowledge being lost through staff churn.

While budgets may hold flat, better education of the broader workforce and leadership about evolving exposure can provide major value. Rather than a compliance checkbox, training should aim to demonstrably improve security behaviours organisation-wide. A clearly defined RACI (Responsible/Accountable/Consulted/Informed) matrix delineates operational control responsibilities both internally and with key partners.

Though small teams and limited budgets create undeniable challenges, major security improvements remain accessible within modest means. New detection and automated response tools allow under-resourced mid-market staff to identify threats earlier and with greater precision. Prioritising speedy patching, multi factor authentication, network segmentation, and behavioural training prudently reduces risk. Leaning more heavily on qualified managed security providers also introduces scalable world-class expertise.

While threats continue advancing at staggering volume and complexity, staying the course on dated security recipes invites disaster. By dispelling lingering misconceptions around liability, focusing resources on foundational defences, and embracing expertise where practical, mid-market cyber strategies can evolve meaningfully without breaking the bank.

Achieving better security requires first acknowledging the widening capabilities gap between modern adversaries and status quo business practices.

Pravesh Kara is Product Director - Security & Compliance at Advania

Image: Unsplash

You Might Also Read:

Half Of British SMEs Have Lost Vital Data:   


If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Russia’s Nation-State Hackers: A Serious Threat To Global Security
Safeguarding Enterprises & Individuals In The IoT Era »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Logicalis

Logicalis

Logicalis are a leading provider of global IT solutions and managed services.

Thales

Thales

Thales provides solutions, services and products that help its customers in the defence, aeronautics, space, transportation and digital identity and security markets to fulfil their critical missions.

MailGuard

MailGuard

MailGuard delivers a full suite of security solutions across email and web to protect your business before threats reach your environment.

Siepel

Siepel

Siepel manufactures high quality shielded rooms and anechoic chambers dedicated to TEMPEST, NEMP & HIRF.

Sepior

Sepior

Our vision is to make Sepior the leading provider of cloud-encryption software in the world.

CyberTrap

CyberTrap

CyberTrap is an advanced highly-interactive deception technology allowing real-time analysis and control of security breaches.

Claranet

Claranet

Claranet are experts in modernising and running critical applications and infrastructure through end-to-end professional services, managed services and training.

LEPL Cyber ​​Security Bureau - Georgia

LEPL Cyber ​​Security Bureau - Georgia

The aim of the LEPL Cyber Security Bureau is to create and strengthen stable, efficient and secure systems of information and communications technologies.

Cyber Security Education

Cyber Security Education

CybersecurityEducation.org is an online directory of cyber security education and careers.

Lewis Brisbois

Lewis Brisbois

Lewis Brisbois offers legal practice in more than 40 specialties, and a multitude of sub-specialties including Data Privacy & Cybersecurity.

Axur

Axur

Discover and eliminate digital fraud and risks on the web. Utilize Axur’s entire AI potential, along with thousands of bots dispersed throughout the surface web as well as the deep and dark web.

Path Forward IT

Path Forward IT

Path Forward IT has been troubleshooting, architecting, migrating, protecting, and securing IT environments for businesses across the USA since 2002.

rSolutions

rSolutions

rSolutions delivers managed cybersecurity services to clients in many industry sectors including financial services, telecommunications, energy, government and retail.

Sitehop

Sitehop

Sitehop is a cybersecurity technology company developing and supplying FPGA hardware-enforced cyber security solutions for networks.

Kralos

Kralos

Kralos are an experienced team of Software and IT experts, specialized in the development of innovative cybersecurity solutions.

Coana

Coana

Coana helps software teams tackle the flood of alerts from traditional SCA tools. Using advanced reachability analysis, Coana cuts false alerts by over 80%, freeing up significant engineering time.