UK SMEs to increasingly rely on managed security services

Independent research conducted by Six Degrees reveals that UK small and medium-sized enterprises (SMEs) are set to increase their reliance on managed security services in 2025.

According to the report titled "Mapping the UK SME Cyber Security Landscape in 2025", two-thirds of SMEs plan to be more reliant on these services over the coming year, with 80% viewing this trend positively. A minority of 13% anticipate lesser dependency, while 19.5% expect to maintain their current level of reliance.

The research identifies that the primary reasons for SMEs purchasing managed security services include a lack of specialist skills to handle increasingly complex cyber security challenges (37%), and the necessity to meet various compliance demands such as legal, industry-specific, and regulatory requirements (36%).

These drivers surpass the motivations to combat the increasing volume and sophistication of cyber-attacks at 34%, to handle spikes in cyber security activity at 31%, and the need for 24/7 support at 28%. Notably, over 20% of SMEs engage managed security services to shift responsibility to third parties.

Vince DeLuca, Chief Executive Officer at Six Degrees, provided insight into these findings. He stated, "I welcome these candid responses from the UK's SME community. We've instinctively known for some time that a significant number of cyber security service purchases are driven by the need to demonstrate compliance with directives, regulations and laws. We also understand that the ongoing cyber security skills shortage leaves these organisations increasingly vulnerable to cyber-attacks—exposing them to risks that could jeopardise that compliance. That heightened risk makes it all the more likely that they would want to shift their responsibility to a third party."

DeLuca further emphasised the importance of understanding the shared risk profile that comes with purchasing cyber security solutions or services. "However, if a cyber security solutions or services provider has open and honest discussions with its customers, then those customers will know purchasing a cyber security solution means accepting a shared risk profile—it's not a way for businesses to abdicate responsibilities. The cyber security tool or service purchase and its ongoing management must also form part of a broader strategy that informs business change in every single context. If you don't re-engineer your organisation to be secure, no amount of tooling will fix it," he commented.

There is speculation that this increased reliance on managed security services reflects attempts by SMEs to handle their primary cyber security frustrations. The research identified key challenges including high implementation costs (43%), lengthy implementation times (37%), underutilisation of current protection solutions (33%), and the turnover of in-house experts (24%).

Addressing these issues through collaboration with managed security services providers, such as implementing Managed Extended Detection and Response, could be a strategic approach to managing threats across cloud and endpoint systems, especially given the skills shortage in the sector.

"There's a direct link between the lack of specialist skills needed to operate cyber security solutions and some of the biggest cyber security frustrations encountered by SMEs—including implementation delays, increased project costs, and an inability to fully utilise existing solutions. By increasing their reliance on managed security services, SMEs are taking proactive steps to address these skills shortages and, therefore, resolve their frustrations. This also explains why most think it's a good idea to lean more heavily on managed security services," DeLuca concluded.