Mid-market firms bring cybersecurity in-house as vendor trust wanes

New research from IT services provider Advania has found that mid-market organizations in the UK are increasingly bringing cybersecurity operations in-house amid declining confidence in external technology vendors.

The data also reflects the rising pressure on internal teams to “do more with less,” the company said, with 65% of mid-market businesses now managing their own security.

The findings form part of Advania’s Building Core Resilience 2025 report, which surveyed 1,236 IT decision makers across Northern Europe, with 500 of those based in the UK.

Increased self-reliance among mid-market firms aligns with falling confidence in external technology partners, with 40% of UK respondents stating their belief that vendors prioritize their enterprise clients over them. That’s a hike of 12% over the previous year’s report.

A similar number also felt that vendors were more focused on selling products rather than delivering solutions, while just 11% said they felt their vendors acted in their best interests.

Commenting on the data, Pravesh Kara, director of security and compliance at Advania UK, warned that this self-reliance can “easily slip into overconfidence.”

“Even large enterprises with dedicated teams have been caught off guard by modern attacks,” he said. “Without independent validation and external expertise, mid-sized organizations risk fighting yesterday’s battles with yesterday’s defences.”

Internal risk

Notably, the report revealed that IT leaders currently see internal threats as more disruptive than external factors to their cyber strategy, with 57% of participants citing issues such as staff turnover, skills gaps, and misaligned strategy as the biggest hurdles.

On the budget front, increased software licensing fees was the biggest budget pain point for UK firms (53%), followed by additional cloud services (43%), and maintenance of old or decommissioned products (42%).

Reputational damage also now outweighs technical recovery costs following recent high-profile breaches, forcing organizations to rethink their cyber ROI. According to Kara, the biggest vulnerability is often found within.

“If your strategy, training, and communication aren’t aligned from the board down, even the best technology won’t protect you,” he added. “It will lead to increased remediation, legal and reputational costs that cybersecurity spending is increasingly geared towards preventing.”

Security awareness

Elsewhere, the report highlights continued improvement in cyber awareness training across the UK mid-market, with 32% of businesses now offering monthly sessions – up from 22% the previous year.

However, with around two-thirds still doing so less frequently, Kara said there is more work to be done.

"Security awareness is a constant practice, woven into how we work every day,” he explained. “Real-time guidance and positive nudges at risky moments build confidence and change behaviour far more effectively than periodic training and testing alone."

FOLLOW US ON SOCIAL MEDIA

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.