Mid-sized customers go it alone with security

An increasing number of mid-sized customers appear to have lost confidence in suppliers and have chosen to handle security in-house.

The research findings shared by Advania UK will cause concerns across the security channel that a portion of customers are attempting to fend off threats with their in-house teams.

Advania’s Building core resilience 2025 report found that at least 65% of UK mid-sized firms managed cyber security entirely in-house, denying them the opportunity to have third-party experts design, deploy and manage their defences.

A couple of factors can help to explain this position, with confidence in third-party suppliers dropping, along with a feeling that vendors and partners prioritise enterprise customers over mid-market customers.

The research found that 40% of UK IT leaders believed vendors “prioritise enterprise clients” over them, which was up from 28% last year. Similar numbers felt that vendors were only interested in selling products and were not offering solutions. As a result, 11% of those quizzed felt that manufacturers were only acting in their own interests.

Advania warned that walking away from the channel and taking security in-house could cause customers more problems in the long run.

“For the mid-market, cyber self-reliance can too easily slip into overconfidence,” said Pravesh Kara, director of security and compliance at Advania UK. “Even large enterprises with dedicated teams have been caught off guard by modern attacks. Without independent validation and external expertise, mid-sized organisations risk fighting yesterday’s battles with yesterday’s defences.”

With a significant number of security threats emerging from errors made internally, there are also risks that customers handling everything themselves will find more challenging to solve.

“The biggest vulnerability is often inside the organisation,” added Kara. “If your strategy, training and communication aren’t aligned from the board down, even the best technology won’t protect you. It will lead to increased remediation, legal and reputational costs that cyber security spending is increasingly geared towards preventing.”

When customers were asked about interval threats, there was a sense that was perceived on a more practical level, with users pointing to staff turnover, skills gaps and misaligned strategy as the issues of concern, rather than a lack of security policies and human error being the priority.

The research indicated that mid-sized organisations were changing their attitude to cyber ROI and were viewing protecting brand reputation as a higher consideration than the costs of recovering operations. The high-profile attacks on M&S and Jaguar Land Rover last year have underlined the damage that could be done to a business from hackers.

On the positive side, there were improvements in the number of UK firms offering monthly cyber awareness training to staff, increasing to 32% from 22% in the past year. However, there was also a sense that working with the channel would produce better results.

“Security awareness is a constant practice, woven into how we work every day. Real-time guidance and positive nudges at risky moments build confidence and change behaviour far more effectively than periodic training and testing alone,” said Kara.