Mid-Market Organisations Shift Cybersecurity In-House Amid Rising Costs and Vendor Distrust

A new study reveals that UK mid-market organisations are increasingly reducing their reliance on external cybersecurity vendors and shifting responsibility to in-house teams. This move is driven by mounting cost pressures and declining trust in providers, and it raises concerns about whether these organisations can sustain long-term cyber resilience.

IT services provider Advania conducted a survey to gather responses from 1,236 mid‑market IT decision‑makers across the UK and six Northern European countries. These respondents are responsible for purchasing software, hardware, cloud, and cybersecurity services within their organisations.

According to Advania’s Building Core Resilience 2025 report, many mid-market organizations are perceived as being overly focused on enterprise customers. They push products instead of tailored solutions, and offer transactional rather than supportive relationships. This reduced trust is reinforcing the trend toward in‑house development and reduced reliance on external partners.

Internal risks overtake external threats in IT leaders’ priorities

IT leaders are more concerned about risks originating inside their organisations than from external hackers. Skills gaps caused by staff turnover, inconsistent security practices, and weak internal alignment on cyber strategy are considered the most disruptive factors. This suggests that organisational culture and communication play an important role in security, as well as technical controls.

This study also found that spending on cloud services and cybersecurity has decreased significantly as organizations reassess costs and feel overcharged by providers. Moreover, inflation, licensing costs, and operational expenses are forcing short‑term budget cuts, even though these reductions may hinder long‑term readiness and innovation.

Cybersecurity training remains uneven across organisations

According to the research, cybersecurity training is more common than in previous years. However, it’s still not frequent enough in most organizations to deal with emerging threats such as phishing and business email compromise. Regular training is inconsistent across different regions, which leaves many employees unequipped to respond to daily attack attempts.

“If your strategy, training, and communication aren’t aligned from the board down, even the best technology won’t protect you,” said Pravesh Kara, Director of Security and Compliance at Advania UK. “It will lead to increased remediation, legal and reputational costs that cybersecurity spending is increasingly geared towards preventing.”

AI adoption gains support beyond cost-cutting use cases

Additionally, artificial intelligence is considered beneficial, particularly for improving cybersecurity and customer experience rather than cutting jobs. Most IT leaders believe AI enhances organisational outcomes, but some link it directly to measurable productivity gains, especially within IT teams.

Last but not least, legacy systems are reaching end of support, and most organizations are now proactively modernizing their IT environments. More regular system reviews, automated testing, and device upgrades indicate a transition from reactive fixes toward structured technical debt management.