Advania UK has released new research revealing UK mid-market organisations’ are increasingly taking cybersecurity into their own hands, often out of necessity rather than choice. The results reflect both declining confidence in external technology vendors and rising pressure on internal teams to “do more with less.”
Published in Advania’s ‘Building Core Resilience 2025’ report, the findings are from a survey of 1,236 IT decision-makers across Northern Europe, including 500 in the UK. The data shows that at least 65% of UK mid-sized firms now manage cybersecurity entirely in-house, lacking third-party, expert validation of their defences.
This growing self-reliance coincides with falling confidence in external technology partners. 40% of UK IT leaders believe vendors “prioritise enterprise clients” over them, a significant jump from 28% previously. While a similar proportion feel vendors are more interested in “selling products than providing solutions”.
Only 11% of respondents believe their “vendors genuinely act in their organisation’s best interests.” Pravesh Kara, Director of Security and Compliance at Advania UK, comments:
“For the mid-market, cyber self-reliance can too easily slip into overconfidence. Even large enterprises with dedicated teams have been caught off guard by modern attacks. Without independent validation and external expertise, mid-sized organisations risk fighting yesterday’s battles with yesterday’s defences.”
Although external threats continue to dominate headlines, Advania’s research shows that IT leaders perceive internal factors as the more disruptive influence on their cyber strategy 57% of respondents identified issues such as staff turnover, skills gaps, and misaligned strategy as the biggest disruptors to their cybersecurity strategy. Organisations are rethinking cyber ROI, as reputational damage now outweighs technical recovery costs after recent high-profile breaches.
“The biggest vulnerability is often inside the organisation,” adds Kara. “If your strategy, training, and communication aren’t aligned from the board down, even the best technology won’t protect you. It will lead to increased remediation, legal and reputational costs that cybersecurity spending is increasingly geared towards preventing.”
The report also highlights modest improvements in cyber awareness training, with the number of UK firms offering monthly sessions rising from 22% to 32% year-on-year. However, two-thirds of organisations still train employees less frequently.
Kara noted: “Security awareness is a constant practice, woven into how we work every day. Real-time guidance and positive nudges at risky moments build confidence and change behaviour far more effectively than periodic training and testing alone.”
The report is well worth a glance, particulary the respondents view to whom they think the most influential figures/regimes are that are impacting AI strategy, and the fact that expectations are rising despite spend falling.
