Medium-sized businesses in the UK show remarkable resilience: they have remained at a constant level throughout the past four years, with a notable increase from 35,900 to 36,900 from 2022 to 2023. But they are also often overlooked – classified alongside small and micro businesses in the all-encompassing ‘SME’ label. Jacques de La Rivière, CEO at Gatewatcher, discusses the cybersecurity demands of medium-sized businesses.
The economic landscape of the UK is undeniably based towards small businesses. At the start of 2022, there were approximately 5.5 million private sector businesses in the UK. Of that, 5.47 million businesses were small (classified as 0 to 49 employees) and 4.1 million had no employees. At the other end of the scale are the 7,700 large businesses (classified as having more than 250 employees).
Squeezed in between are the 36,900 medium-sized businesses (with 50 to 249 employees), typically with a turnover of less than €50 million or a balance sheet less than €43 million.
Medium-sized businesses in the UK show remarkable resilience: they have remained at a constant level throughout the past four years, with a notable increase from 35,900 to 36,900 from 2022 to 2023. But they are also often overlooked – classified alongside small and micro businesses in the all-encompassing ‘SME’ label.
When it comes to cybersecurity, this is a profound mistake. In an age of attacks that encompass the supply chain, sophisticated social engineering and long-term planning and execution of advanced, persistent threats, medium-sized businesses have a range of unique factors that must be addressed.
Left out in the cold?
Medium-sized businesses are keenly aware that they may not be sufficiently equipped to meet the new generation of cyberthreat. Recent research found that 59% of UK mid-sized companies report less confidence. The same report showed that despite the fact that more than half (57%) would outsource their cyber operations, 47% report that their provider is underperforming. Most damning and concerning was that just 22% of mid-sized firms believe they are resilient.
The survey also found that over half (58%) of mid-sized organisations said they were not benefitting from tooling than can be tailored to their specific business needs. It is clear that the first step in addressing the unique cybersecurity needs of the medium-sized business community is to establish a meaningful dialogue that shows what demands modern cybersecurity technology needs to address.
The COVID backdrop to a new digital medium business landscape
The impact of the COVID lockdowns has been to change permanently working patterns across businesses of all sizes. But for medium-sized businesses, which have been encouraged to digitise in order to remain efficient and competitive, as well as to be attractive as employers, the widespread use of teleworking has opened up substantial weaknesses in cybersecurity.
The 2022 Cyber Security Breaches Survey from the UK government reflected this impact as 94% of medium/large firms reported phishing attacks, against an 83% overall rate of incidence and a 63% rate of impersonation attacks, versus 27% overall. Both vectors of attack have been made easier to exploit with increased teleworking and the associated technology.
Elsewhere, there are incidences of increased uses of specific technologies within medium businesses that increased cyberthreat exposure. Medium businesses are more likely than the business average to have online payment capabilities and 66% of medium firms report using network-connected/ Smart devices compared to an average of 48%, whilst 25% of medium businesses report running older versions of operating systems compared to an average of just 16%.
Elsewhere, Gartner has identified that medium-sized businesses rarely have the dedicated security teams or security tools of larger enterprises and consequently, are the most targeted segment for ransomware attacks, and the average 23 days of downtime caused by ransomware could easily be enough to crash a medium-sized business in the current economic climate.
Frustration and fatigue?
This is not to suggest medium-sized businesses are complacent in the face of cyberthreats. Investment in threat intelligence, cyberthreat audits, penetration testing, monitoring and staff training are all more common in medium and large businesses.
But there is an understandable frustration that these services and options may not accurately reflect their needs. And added to this frustration may be a sense of fatigue – in 2021 three-quarters (75%) of medium-sized business had cybersecurity policies. By 2022 this fell nine percentage points to 66%.
The tension within?
Modern medium-sized businesses continue to face uncertainty brought about by persistent inflation, talent challenges and the threat of recession. These conditions determine technology strategies and spending priorities. With regards to cybersecurity, loss of data, business interruption, erosion of turnover, higher insurance premiums and damage to reputation are all catastrophic consequences for medium businesses.
However, it is clear that IT leaders in these businesses do not have a clear commercial narrative to effectively negotiate a cybersecurity budget against other competing priorities. So how can they address this tension and ensure cybersecurity does not add to the substantial weight already upon the organisation?
Each company needs to prepare itself according to its own risk assessment. This requires everyone to maintain rigorous digital hygiene and adopt IT security practices on an on-going basis. This is all the more important given that the current system encourages cyberattackers to re-offend and makes victims even more vulnerable.
Increasing the budget devoted to security tools is no longer a sufficient solution in the face of the proliferation of increasingly sophisticated threats. Every employee is a key part of the responsibility, as they represent the main potential vulnerability. Although the Zero Trust security model, based on the principle that no user can be entirely trusted on a network, is better understood, the human factor remains one of the greatest vulnerabilities in the face of the cyberthreat. It is therefore essential to train staff in threat awareness and best day-to-day practices.
Cybersecurity will remain a key investment for medium-sized businesses – indeed, research shows that there will be a 2023 increase in spending compared to 2022. But it is clear that it must now answer a range of specific demands, as these engines of growth within the UK market adapt to new conditions.