Mid-sized businesses are under as much pressure to keep the organisation secure as are the larger corporates but without the deep pockets that those larger corporates have. Because of this they are also fast becoming the easy target that we often view small businesses as being, but with a larger payload for the cyber-criminal. In fact, in 2023, 59% of medium sized businesses suffered a cyber-attack or data breach in the UK.
The biggest issue facing mid-market organisations is balancing limited resources with the growing complexity and volume of cyber threats. The lack of resources is compounded by an overall dearth of cyber-security skills in general, and a real lack of skills in mid-sized companies and the IT companies they often outsource to. Key aspects of this challenge include:
1. Resource Constraints: Mid-market organisations typically lack the budget and personnel to implement robust, enterprise-level cyber-security solutions. They may not have dedicated security teams, forcing IT departments to manage cyber-security alongside other duties. This dilutes skills and leaves them vulnerable to sophisticated attacks.
2. Rising Threat Sophistication: Cyber-criminals are increasingly using advanced tools and techniques, such as ransomware, phishing, and supply chain attacks, now enhanced with AI, which often outpace the security capabilities of mid-sized businesses. These organisations are prime targets because they are often seen as less protected than larger enterprises but more valuable than small businesses.
3. Compliance and Regulatory Challenges: As regulations like GDPR, FCA, and industry specific mandates grow, mid-market companies struggle to meet compliance requirements without the same level of support and infrastructure that larger organisations can afford.
4. Lack of Cyber security Awareness: Employees at mid-market organisations may not have adequate training on cyber-security best practices, making them vulnerable to human error, such as falling for phishing scams or weak password practices.
5. Third-Party Risks: Mid-market companies often rely on third-party vendors for various services, but they may lack the resources to thoroughly vet these vendors’ security postures, leading to vulnerabilities in their supply chain.
Addressing these issues requires mid-market organisations to prioritise cyber-security despite resource constraints, invest in scalable security solutions, and foster a strong security culture throughout the organisation.
There is a very real difficulty in breaking out of this cycle. The mind set of most board members is to focus on the core business and keep costs to an absolute minimum. Costs are important in a mid-sized business, especially one where margins may be tight. IT budgets will focus on items, both hardware and software, that are required to keep the revenue flowing and its cyber-security solutions, including data protection solutions, are often seen as nebulous because there is no obvious return on investment. CIOs/CISOs/IT Directors are often left trying to prove a negative, ie we haven’t had any security issues because we have protections in place, as opposed to we haven’t had any security issues therefore we don’t need to budget for protections. It’s a years old argument that never seems to have a resolution.
However, breaking out of this cycle, this thought process, is very important. Cyber threats, what we refer to as the threat landscape, are evolving at a frightening pace, often enhanced using AI. This will further compound any argument about budget simply because there is this need to keep pace with the cyber-criminal, and those of us in this industry know that we have always been playing catch up.
So how do we do it? Not an easy answer but one way that some mid-sized organisations are now looking at is managed security solutions. The provision of SOC (Security Operations Centre) solutions, in a shared way, as we do with cloud services for example, makes managed security more affordable. Many of the large enterprise organisations also make use of managed security solutions for the reasons of cost. On site solutions are not just expensive in terms of hardware and software, but also staffing costs, training etc, can be exorbitant. So, sharing those costs becomes very attractive.
Of course, there is no one size fits all solution and most managed service providers will have a set of services it provides, and do not tailor their services simply because it would make them too complex and expensive to provide, somewhat obviating the whole reason for doing it in the first place.
To make sure that you have the level of protection that you need, then you must do some up front work, maybe getting some consultancy that will save you money in the long run, by getting the protections and levels of service in place that you actually need.
There are several solutions around and organisations that provide them, and I do recommend that you shop around. Some are better than others and the CrowdStrike issue hasn’t done the reputation of managed services much good. Here at H2 we offer solutions for both monitoring your technical estate, your user actions, email, cloud services etc, as well as your data protection issues providing monitoring of any compliances that you may need, including UK GDPR, PCI DSS as an example.
If in doubt give us call, we’d be delighted to chat it over, offer a demo and a FREE trial lasting up to 30 days for the data protection solutions and 14 days for the more technical solution.
Recent Comments