Key Takeaways:
- Mid-market organizations in the UK are increasingly bringing cybersecurity operations in-house due to declining confidence in external technology vendors.
- 65% of mid-market businesses now manage their own security, with 40% stating that vendors prioritize enterprise clients over them.
- Internal threats, such as staff turnover and skills gaps, are seen as more disruptive to cyber strategy than external factors.
- Reputational damage now outweighs technical recovery costs following high-profile breaches, forcing organizations to rethink their cyber ROI.
- Cyber awareness training is improving, but more work is needed to build confidence and change behavior.
Introduction to the Report
New research from IT services provider Advania has found that mid-market organizations in the UK are increasingly bringing cybersecurity operations in-house amid declining confidence in external technology vendors. The data reflects the rising pressure on internal teams to "do more with less," with 65% of mid-market businesses now managing their own security. The findings form part of Advania’s Building Core Resilience 2025 report, which surveyed 1,236 IT decision makers across Northern Europe, with 500 of those based in the UK. This shift towards self-reliance is likely due to the perceived lack of attention and support from external vendors, with 40% of UK respondents stating that vendors prioritize their enterprise clients over them.
Declining Confidence in External Vendors
The report highlights a significant decline in confidence in external technology vendors, with 40% of UK respondents stating that vendors prioritize their enterprise clients over them. This represents a 12% increase over the previous year’s report. Additionally, a similar number of respondents felt that vendors were more focused on selling products rather than delivering solutions, while only 11% said they felt their vendors acted in their best interests. This lack of trust in external vendors is likely driving the trend towards mid-market organizations taking cybersecurity operations in-house. However, as Pravesh Kara, director of security and compliance at Advania UK, warned, this self-reliance can "easily slip into overconfidence." Even large enterprises with dedicated teams have been caught off guard by modern attacks, and without independent validation and external expertise, mid-sized organizations risk fighting yesterday’s battles with yesterday’s defenses.
Internal Threats and Budget Constraints
The report also reveals that IT leaders currently see internal threats as more disruptive to their cyber strategy than external factors, with 57% of participants citing issues such as staff turnover, skills gaps, and misaligned strategy as the biggest hurdles. On the budget front, increased software licensing fees was the biggest budget pain point for UK firms (53%), followed by additional cloud services (43%), and maintenance of old or decommissioned products (42%). Reputational damage now outweighs technical recovery costs following recent high-profile breaches, forcing organizations to rethink their cyber ROI. According to Kara, the biggest vulnerability is often found within, and if an organization’s strategy, training, and communication aren’t aligned from the board down, even the best technology won’t protect them.
The Importance of Security Awareness
The report highlights continued improvement in cyber awareness training across the UK mid-market, with 32% of businesses now offering monthly sessions – up from 22% the previous year. However, with around two-thirds still doing so less frequently, Kara said there is more work to be done. Security awareness is a constant practice, woven into how we work every day, and real-time guidance and positive nudges at risky moments build confidence and change behavior far more effectively than periodic training and testing alone. As Kara explained, "Security awareness is not just about training, it’s about building a culture of security within an organization." By prioritizing security awareness and training, organizations can reduce the risk of internal threats and improve their overall cybersecurity posture.
Conclusion and Recommendations
In conclusion, the report highlights the need for mid-market organizations to prioritize cybersecurity and take a proactive approach to managing internal threats. By bringing cybersecurity operations in-house and investing in security awareness training, organizations can reduce their reliance on external vendors and improve their overall cybersecurity posture. However, as Kara warned, self-reliance can easily slip into overconfidence, and organizations must be careful not to underestimate the importance of independent validation and external expertise. By striking a balance between internal capabilities and external support, organizations can build a robust cybersecurity strategy that protects against both internal and external threats. Ultimately, the key to success lies in building a culture of security within an organization, where security awareness is woven into every aspect of the business.