Cybersecurity Is A Serious Concern For The Mid-Market

Uploaded on 2024-07-01 in TECHNOLOGY--Resilience, FREE TO VIEW

Ensuring robust cybersecurity is a challenge even for large enterprises, yet many mid-market organisations believe they can handle it alone. New research, conducted via Censuswide, has found that almost half (47%) of businesses in the UK develop cyber strategies internally and express full confidence without seeking external expertise.

This overly ambitious approach ignores the rapid evolution of threats and the needed experience to continually combat them. 

In practice, mid-size businesses fail to implement adequate protections. Over half (55%) admitted to gaps in deploying basic firewall and antivirus safeguards, while many do not regularly patch to the latest security standards. Just 37% have an established incident response plan to guide efforts during an active breach. 

Additionally, there is an alarming lack of visibility into current security postures. 16% of respondents to the survey do not even understand how their organisation maintains defences day-to-day. Most concerningly is that 2% of mid-market businesses admitted to having no discernible security strategy whatsoever – leaving them in imminent danger.

Though regular awareness training appears a prudent safeguard on paper, typical compliance checklist approaches often fail to influence organisational culture and behaviours meaningfully. Leading experts argue that rather than scheduled cybersecurity training, businesses should emphasise “point-in-time” learning in response to teachable security mistakes. By taking this approach, if an employee clicks a simulated phishing link, timely alerts and education change habits can teach users more than abstract seminars every 90 days. 

Cyber Risk: The Blame Game & Poor Patching

Mid-market businesses wrongly assume that cloud providers will cover significant data recovery, legal, and other breach-related expenses in the event of a successful attack. In the Nordics, up to 55% believe their cloud vendor is wholly liable for security incidents. Across EMEA, 40% think providers should even refund the cost of stolen cloud compute usage from exploits like cryptojacking. 

In reality, cloud vendors retain very little responsibility for customer security issues. Only 3% of respondents correctly realised providers are not accountable, while the vast majority carry misplaced expectations of full indemnification. This knowledge gap leaves mid-market businesses disastrously exposed to major unbudgeted cyber-related costs.

Poor patching and access management practices further demonstrate strategic complacency. 1 in 6 mid-market organisations admit they do not regularly patch security flaws, and over half report gaps even when implementing basic privileged access controls around their IT environments. 

Rather than assume they won’t be breached, mid-market cyber strategies must work to reduce exposure through strong foundational controls. Small steps like aggressive patching can considerably reduce the risk surface. Large steps like implementing threat detection and response provide fuller visibility that can identify intruders faster.

Trickle-down IT turnover
The recent research also found that excessive IT talent turnover further erodes mid-market security postures by draining institutional knowledge. Leadership can hardly align cyber initiatives with business goals when they struggle to source and retain qualified internal personnel. 

Among IT staff rated excellent, only 2% stay within mid-market businesses longer than 2 years. More than 1 in 4 depart within just 1-6 months after being hired. And nearly 1 in 10 mid-market organisations admit they have never managed to recruit any staffers exceeding expectations, with Nordic countries faring even worse in talent retention. This level of churn leaves few capable of driving strategic progress.

How to strengthen on a smaller budget
Lacking enterprise-scale security budgets, mid-market businesses require careful examination of cyber risk and return on investment tradeoffs. Yet unclear metrics and misguided assumptions around liability make the constant battle for resources nearly inevitable.

Mature risk and compliance understanding would allow security spending to flex dynamically based on exposure. However, reliance on outdated "best practices" yields predictable, inefficient allocations unrelated to modern threats. Consistently documenting risks in a company risk register and seeking broader consensus is essential so leadership can accurately weigh cyber risks against other funding priorities. The reasoning and mitigation approach behind the documented risks can provide historical context. This could be important in the short term to battle the loss of institutional knowledge being lost through staff churn.

While budgets may hold flat, better education of the broader workforce and leadership about evolving exposure can provide major value. Rather than a compliance checkbox, training should aim to demonstrably improve security behaviours organisation-wide. A clearly defined RACI (Responsible/Accountable/Consulted/Informed) matrix delineates operational control responsibilities both internally and with key partners.

Though small teams and limited budgets create undeniable challenges, major security improvements remain accessible within modest means. New detection and automated response tools allow under-resourced mid-market staff to identify threats earlier and with greater precision. Prioritising speedy patching, multi factor authentication, network segmentation, and behavioural training prudently reduces risk. Leaning more heavily on qualified managed security providers also introduces scalable world-class expertise.

While threats continue advancing at staggering volume and complexity, staying the course on dated security recipes invites disaster. By dispelling lingering misconceptions around liability, focusing resources on foundational defences, and embracing expertise where practical, mid-market cyber strategies can evolve meaningfully without breaking the bank.

Achieving better security requires first acknowledging the widening capabilities gap between modern adversaries and status quo business practices.

Pravesh Kara is Product Director - Security & Compliance at Advania

Image: Unsplash

You Might Also Read:

Half Of British SMEs Have Lost Vital Data:   

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Russia’s Nation-State Hackers: A Serious Threat To Global Security
Safeguarding Enterprises & Individuals In The IoT Era »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Security Industry Association (SIA)

Security Industry Association (SIA)

The SIA's mission is to be a catalyst for success​ within the global security industry through information, insight and influence.

Fasoo

Fasoo

Fasoo provides data-centric security to protect data within the organizational perimeter and beyond by limiting access to sensitive data according to policies that cover both users and activities.

Jiran Security

Jiran Security

Jiran Security provides data and application security solution over email, mobile device and endpoints.

NetFort

NetFort

NetFort provides software products to monitor activity on virtual and physical networks.

Netwrix

Netwrix

Netwrix empowers information security and governance professionals to identify and protect sensitive data to reduce the risk of a breach.

Sungard Availability Services (Sungard AS)

Sungard Availability Services (Sungard AS)

Sungard AS partners with customers around the globe to understand their unique business needs and provide production and recovery services tailored to their requirements.

ThreatGen

ThreatGen

ThreatGEN™ works with your team to improve your resiliency and industrial cybersecurity capabilities through an innovative and modernized approach to training and services.

SHe CISO Exec

SHe CISO Exec

SHe CISO Exec is a sustainable global training and mentoring platform in information security and leadership.

In Fidem

In Fidem

In Fidem specializes in information security management, with a bold approach that views cybersecurity as a springboard to organizational transformation rather than a barrier to innovation.

Tailscale

Tailscale

Tailscale is a VPN service that makes the devices and applications you own accessible anywhere in the world, securely and effortlessly.

Cyber Octet

Cyber Octet

Cyber Octet is an IT Solution, Security, Training and Services company. We provide training and services from Web Application Security to ISO 27001 implementation.

Acclaim Technical Services (ATS)

Acclaim Technical Services (ATS)

ATS provide operational products, services and solutions to the defense and intelligence communities for all types of critical mission needs.

US Cyber Games

US Cyber Games

US Cyber Games is committed to inform and inspire the broader community on ways to develop tomorrow’s cybersecurity workforce.

CyberSalus

CyberSalus

CyberSalus is a pioneering cyber tech services company dedicated to protecting the digital integrity of healthcare organizations.

Cythera

Cythera

Cythera is an Australian cyber security company with in-house cyber security professionals providing world-class cyber protection to medium to large companies all over Australia.

Hunt & Hackett

Hunt & Hackett

Hunt & Hackett helps European companies prevent, detect and respond to today’s most advanced adversaries, safeguarding them against cyberthreats and espionage.