Cybersecurity Is A Serious Concern For The Mid-Market

Ensuring robust cybersecurity is a challenge even for large enterprises, yet many mid-market organisations believe they can handle it alone. New research, conducted via Censuswide, has found that almost half (47%) of businesses in the UK develop cyber strategies internally and express full confidence without seeking external expertise.

This overly ambitious approach ignores the rapid evolution of threats and the needed experience to continually combat them. 

In practice, mid-size businesses fail to implement adequate protections. Over half (55%) admitted to gaps in deploying basic firewall and antivirus safeguards, while many do not regularly patch to the latest security standards. Just 37% have an established incident response plan to guide efforts during an active breach. 

Additionally, there is an alarming lack of visibility into current security postures. 16% of respondents to the survey do not even understand how their organisation maintains defences day-to-day. Most concerningly is that 2% of mid-market businesses admitted to having no discernible security strategy whatsoever – leaving them in imminent danger.

Though regular awareness training appears a prudent safeguard on paper, typical compliance checklist approaches often fail to influence organisational culture and behaviours meaningfully. Leading experts argue that rather than scheduled cybersecurity training, businesses should emphasise “point-in-time” learning in response to teachable security mistakes. By taking this approach, if an employee clicks a simulated phishing link, timely alerts and education change habits can teach users more than abstract seminars every 90 days. 

Cyber Risk: The Blame Game & Poor Patching

Mid-market businesses wrongly assume that cloud providers will cover significant data recovery, legal, and other breach-related expenses in the event of a successful attack. In the Nordics, up to 55% believe their cloud vendor is wholly liable for security incidents. Across EMEA, 40% think providers should even refund the cost of stolen cloud compute usage from exploits like cryptojacking. 

In reality, cloud vendors retain very little responsibility for customer security issues. Only 3% of respondents correctly realised providers are not accountable, while the vast majority carry misplaced expectations of full indemnification. This knowledge gap leaves mid-market businesses disastrously exposed to major unbudgeted cyber-related costs.

Poor patching and access management practices further demonstrate strategic complacency. 1 in 6 mid-market organisations admit they do not regularly patch security flaws, and over half report gaps even when implementing basic privileged access controls around their IT environments. 

Rather than assume they won’t be breached, mid-market cyber strategies must work to reduce exposure through strong foundational controls. Small steps like aggressive patching can considerably reduce the risk surface. Large steps like implementing threat detection and response provide fuller visibility that can identify intruders faster.

Trickle-down IT turnover
The recent research also found that excessive IT talent turnover further erodes mid-market security postures by draining institutional knowledge. Leadership can hardly align cyber initiatives with business goals when they struggle to source and retain qualified internal personnel. 

Among IT staff rated excellent, only 2% stay within mid-market businesses longer than 2 years. More than 1 in 4 depart within just 1-6 months after being hired. And nearly 1 in 10 mid-market organisations admit they have never managed to recruit any staffers exceeding expectations, with Nordic countries faring even worse in talent retention. This level of churn leaves few capable of driving strategic progress.

How to strengthen on a smaller budget
Lacking enterprise-scale security budgets, mid-market businesses require careful examination of cyber risk and return on investment tradeoffs. Yet unclear metrics and misguided assumptions around liability make the constant battle for resources nearly inevitable.

Mature risk and compliance understanding would allow security spending to flex dynamically based on exposure. However, reliance on outdated "best practices" yields predictable, inefficient allocations unrelated to modern threats. Consistently documenting risks in a company risk register and seeking broader consensus is essential so leadership can accurately weigh cyber risks against other funding priorities. The reasoning and mitigation approach behind the documented risks can provide historical context. This could be important in the short term to battle the loss of institutional knowledge being lost through staff churn.

While budgets may hold flat, better education of the broader workforce and leadership about evolving exposure can provide major value. Rather than a compliance checkbox, training should aim to demonstrably improve security behaviours organisation-wide. A clearly defined RACI (Responsible/Accountable/Consulted/Informed) matrix delineates operational control responsibilities both internally and with key partners.

Though small teams and limited budgets create undeniable challenges, major security improvements remain accessible within modest means. New detection and automated response tools allow under-resourced mid-market staff to identify threats earlier and with greater precision. Prioritising speedy patching, multi factor authentication, network segmentation, and behavioural training prudently reduces risk. Leaning more heavily on qualified managed security providers also introduces scalable world-class expertise.

While threats continue advancing at staggering volume and complexity, staying the course on dated security recipes invites disaster. By dispelling lingering misconceptions around liability, focusing resources on foundational defences, and embracing expertise where practical, mid-market cyber strategies can evolve meaningfully without breaking the bank.

Achieving better security requires first acknowledging the widening capabilities gap between modern adversaries and status quo business practices.

Pravesh Kara is Product Director - Security & Compliance at Advania

Image: Unsplash

You Might Also Read:

Half Of British SMEs Have Lost Vital Data:   


If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Russia’s Nation-State Hackers: A Serious Threat To Global Security
Safeguarding Enterprises & Individuals In The IoT Era »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Allianz Commercial

Allianz Commercial

Allianz Commercial is the center of expertise and global line of Allianz Group for insuring mid-sized businesses, large enterprises and specialist risks.

Packet Ninjas

Packet Ninjas

Packet Ninjas is a niche cyber security agency with specialized expertise in the use of digital intelligence to strengthen cyber security.

Aeriandi

Aeriandi

Aeriandi is a leading provider of hosted PCI security compliance solutions for call centres, trusted by high street banks and major Telcos.

Nozomi Networks

Nozomi Networks

Nozomi Networks is a leader in Industrial Control System (ICS) cybersecurity, with a comprehensive platform to deliver real-time cybersecurity and operational visibility.

IPN (ICT Research Platform Nederlands)

IPN (ICT Research Platform Nederlands)

IPN promotes academic research and education in the ICT field by building and maintaining a national community, and by developing policy to advance the field. Areas of focus include Cyber Security.

CRYPTTECH

CRYPTTECH

CRYPTTECH specializes in Information Security and Intelligence, Risk Evaluation and Vulnerability Recognition against Cyber-Attacks and APTs.

Acuant

Acuant

Acuant is a leading global provider of identity verification, regulatory compliance (AML/KYC) and digital identity solutions.

InnoValor

InnoValor

InnoValor realises value from digital innovation for organisations and government. We provide advisory services and develop innovative software solutions, based on our background in research.

Absio

Absio

Absio provides the technology you need to build data security directly into your software by default, and the design and development services you need to make it happen.

Mindsight

Mindsight

Mindsight is a technology consulting firm with expertise from cybersecurity to cloud, disaster recovery to infrastructure, and collaboration to contact center.

Hassans International Law Firm

Hassans International Law Firm

Hassans is the largest law firm in Gibraltar, providing a full range of legal services across corporate and commercial law including Data Protection and GDPR compliance.

Auriga Consulting

Auriga Consulting

Auriga is a center of excellence in Cyber Security, Assurance and Monitoring Services, with a renowned track record of succeeding where others have failed.

Surefire Cyber

Surefire Cyber

Surefire Cyber delivers swift, strong response to cyber incidents such as ransomware, email compromise, malware, data theft, and other threats with end-to-end response capabilities.

ERCOM

ERCOM

Ercom, a subsidiary of the Thales Group, is a French company known for its mobility security solutions.

Athena7

Athena7

Athena7 is a dedicated assessment practice committed to helping organizations understand how their infrastructure, backups, and security controls will withstand the latest threat actor tactics.

International Maritime Cyber Security Organisation (IMCSO)

International Maritime Cyber Security Organisation (IMCSO)

The IMCSO mission is to be the standard in the maritime cyber security industry, a collective voice, working towards alignment and standardisation.