Cybersecurity Is A Serious Concern For The Mid-Market

Uploaded on 2024-07-01 in TECHNOLOGY--Resilience, FREE TO VIEW

Ensuring robust cybersecurity is a challenge even for large enterprises, yet many mid-market organisations believe they can handle it alone. New research, conducted via Censuswide, has found that almost half (47%) of businesses in the UK develop cyber strategies internally and express full confidence without seeking external expertise.

This overly ambitious approach ignores the rapid evolution of threats and the needed experience to continually combat them. 

In practice, mid-size businesses fail to implement adequate protections. Over half (55%) admitted to gaps in deploying basic firewall and antivirus safeguards, while many do not regularly patch to the latest security standards. Just 37% have an established incident response plan to guide efforts during an active breach. 

Additionally, there is an alarming lack of visibility into current security postures. 16% of respondents to the survey do not even understand how their organisation maintains defences day-to-day. Most concerningly is that 2% of mid-market businesses admitted to having no discernible security strategy whatsoever – leaving them in imminent danger.

Though regular awareness training appears a prudent safeguard on paper, typical compliance checklist approaches often fail to influence organisational culture and behaviours meaningfully. Leading experts argue that rather than scheduled cybersecurity training, businesses should emphasise “point-in-time” learning in response to teachable security mistakes. By taking this approach, if an employee clicks a simulated phishing link, timely alerts and education change habits can teach users more than abstract seminars every 90 days. 

Cyber Risk: The Blame Game & Poor Patching

Mid-market businesses wrongly assume that cloud providers will cover significant data recovery, legal, and other breach-related expenses in the event of a successful attack. In the Nordics, up to 55% believe their cloud vendor is wholly liable for security incidents. Across EMEA, 40% think providers should even refund the cost of stolen cloud compute usage from exploits like cryptojacking. 

In reality, cloud vendors retain very little responsibility for customer security issues. Only 3% of respondents correctly realised providers are not accountable, while the vast majority carry misplaced expectations of full indemnification. This knowledge gap leaves mid-market businesses disastrously exposed to major unbudgeted cyber-related costs.

Poor patching and access management practices further demonstrate strategic complacency. 1 in 6 mid-market organisations admit they do not regularly patch security flaws, and over half report gaps even when implementing basic privileged access controls around their IT environments. 

Rather than assume they won’t be breached, mid-market cyber strategies must work to reduce exposure through strong foundational controls. Small steps like aggressive patching can considerably reduce the risk surface. Large steps like implementing threat detection and response provide fuller visibility that can identify intruders faster.

Trickle-down IT turnover
The recent research also found that excessive IT talent turnover further erodes mid-market security postures by draining institutional knowledge. Leadership can hardly align cyber initiatives with business goals when they struggle to source and retain qualified internal personnel. 

Among IT staff rated excellent, only 2% stay within mid-market businesses longer than 2 years. More than 1 in 4 depart within just 1-6 months after being hired. And nearly 1 in 10 mid-market organisations admit they have never managed to recruit any staffers exceeding expectations, with Nordic countries faring even worse in talent retention. This level of churn leaves few capable of driving strategic progress.

How to strengthen on a smaller budget
Lacking enterprise-scale security budgets, mid-market businesses require careful examination of cyber risk and return on investment tradeoffs. Yet unclear metrics and misguided assumptions around liability make the constant battle for resources nearly inevitable.

Mature risk and compliance understanding would allow security spending to flex dynamically based on exposure. However, reliance on outdated "best practices" yields predictable, inefficient allocations unrelated to modern threats. Consistently documenting risks in a company risk register and seeking broader consensus is essential so leadership can accurately weigh cyber risks against other funding priorities. The reasoning and mitigation approach behind the documented risks can provide historical context. This could be important in the short term to battle the loss of institutional knowledge being lost through staff churn.

While budgets may hold flat, better education of the broader workforce and leadership about evolving exposure can provide major value. Rather than a compliance checkbox, training should aim to demonstrably improve security behaviours organisation-wide. A clearly defined RACI (Responsible/Accountable/Consulted/Informed) matrix delineates operational control responsibilities both internally and with key partners.

Though small teams and limited budgets create undeniable challenges, major security improvements remain accessible within modest means. New detection and automated response tools allow under-resourced mid-market staff to identify threats earlier and with greater precision. Prioritising speedy patching, multi factor authentication, network segmentation, and behavioural training prudently reduces risk. Leaning more heavily on qualified managed security providers also introduces scalable world-class expertise.

While threats continue advancing at staggering volume and complexity, staying the course on dated security recipes invites disaster. By dispelling lingering misconceptions around liability, focusing resources on foundational defences, and embracing expertise where practical, mid-market cyber strategies can evolve meaningfully without breaking the bank.

Achieving better security requires first acknowledging the widening capabilities gap between modern adversaries and status quo business practices.

Pravesh Kara is Product Director - Security & Compliance at Advania

Image: Unsplash

You Might Also Read:

Half Of British SMEs Have Lost Vital Data:   

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Russia’s Nation-State Hackers: A Serious Threat To Global Security
Safeguarding Enterprises & Individuals In The IoT Era »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Blueliv

Blueliv

Blueliv is a leading provider of targeted cyber threat information and intelligence. We deliver automated and actionable threat intelligence to protect the enterprise and manage your digital risk.

Tufin

Tufin

Tufin enables organizations to automate their security policy visibility, risk management, provisioning and compliance across their multi-vendor, hybrid environment.

Ethio-CERT

Ethio-CERT

National Cyber Emergency Readiness and Response Team of Ethiopia.

HyTrust

HyTrust

HyTrust specialises in security, compliance and control software for virtualization and cloud environments.

Lacework

Lacework

Lacework brings speed, scale, and automation to cloud security and allows security and DevOps teams to collaborate on keeping data and applications safe.

FFRI Security

FFRI Security

FFRI is committed to research and development of preventing the most advanced cyber-attacks and breaches.

Swiss Cyber Think Tank (SCTT)

Swiss Cyber Think Tank (SCTT)

The Swiss Cyber Think Tank is a business network for Cyber Risk & Insurability, providing an industry-wide networking platform for insurers, technology and security firms.

World Informatix Cyber Security (WICS)

World Informatix Cyber Security (WICS)

World Informatix Cyber Security provides a range of cyber security services to protect valuable information assets to global business and governments.

Ridge Canada Cyber Solutions

Ridge Canada Cyber Solutions

Ridge Canada helps insurance brokers and insurance buyers understand, evaluate, and secure cyber coverage that is tailored to their business.

Berezha Security Group (BSG)

Berezha Security Group (BSG)

BSG is a cybersecurity consulting firm specializing in all aspects of application security and penetration testing.

UnderDefense

UnderDefense

UnderDefense provides cyber resiliency consulting and technology-enabled services to anticipate, manage and defend against cyber threats.

TwoThreeFour

TwoThreeFour

ThreeTwoFour provide tailored cyber security solutions, delivered by highly-skilled, experienced consultants who respond to the real needs of you and your business.

ALSCO

ALSCO

ALSCO is dedicated to bringing first class IT services, technical support, and solutions to goverment, companies and organizations worldwide.

Chainguard

Chainguard

Founded by the industry's leading experts on open source software, security and cloud native development, Chainguard are on a mission to make the software supply chain secure by default.

Buguard

Buguard

Buguard is a multi-award-winning supplier of Application Security Assessments and GRC services.

Graphiant

Graphiant

Graphiant’s Data Assurance service gives businesses end-to-end control and visibility into how data travels throughout the entire business network.