UK Cyber Regulations Demand Enterprise Security from SMBs. It's Unrealistic.

A 20-person organisation discovered attackers had been inside their cloud environment for weeks, quietly configuring mailbox rules to siphon sensitive data. The breach, disclosed by cyber security firm Coro, exemplifies a widening gap threatening Britain's mid-market businesses as three major pieces of legislation converge to impose enterprise-grade security obligations on firms that can barely afford a single dedicated security professional. The timing couldn't be worse, with ransomware attacks surging and regulatory requirements assuming resources that most mid-sized UK organisations simply don't have.

The compliance trap

The regulatory requirements sound reasonable in theory: continuous monitoring, rapid incident reporting, documented security controls. But translating those mandates into practice requires resources that most mid-sized UK organisations simply don't have. For a 50-person professional services firm or a regional manufacturer with two IT generalists, the assumption of dedicated security operations centres is divorced from reality.

NIS2, which came into force across the EU in January 2023 and affects UK firms operating in member states, extends cyber-security obligations to sectors previously exempt: waste management, food production, digital infrastructure providers, and public administration entities now face the same standards as critical infrastructure operators. DORA targets financial entities and their supply chains with specific timelines for incident reporting, requiring major incidents to be notified within four hours of detection. The UK's Cyber Security and Resilience Bill, currently progressing through Parliament, proposes similar obligations for operators of essential services and suppliers to critical sectors.

Enjoying this article?

Get stories like this in your inbox every week.

Join the Community

Mid-market leaders tell us their security needs have simply outstripped their resources. They can't afford to hire somebody entirely focused on security, yet regulators are demanding that exact level of oversight.

Neill Burton, VP and general manager for EMEA at Coro Cyber Security, frames the problem bluntly. What's particularly challenging for lean IT teams is the expectation of continuous monitoring — not quarterly audits or annual penetration tests, but real-time visibility into security events across email, endpoints, cloud services, and identity systems. What's interesting here is the implicit assumption baked into these regulations: that organisations have the budget and staff to implement controls designed for enterprises with dedicated security operations centres.

The hidden cost of fragmentation

Faced with mounting threats, many organisations have assembled security tools piecemeal. One vendor handles email filtering, another provides endpoint protection, a third monitors cloud applications. Each purchase made sense individually, but the cumulative effect is operational chaos.

Research from enterprise technology analysts suggests the average company deploys at least six security tools, whilst larger organisations manage over 80 separate systems. For lean teams, this fragmentation creates what security professionals call "alert fatigue" — so many notifications from disparate systems that critical warnings get buried. One study found 73% of IT teams miss important security alerts because they're overwhelmed by false positives.

The patchwork approach also creates blind spots. When security tools communicate through API integrations rather than native architecture, threats that span multiple systems — a phishing email that compromises credentials used to access cloud data — can slip through the gaps. Each tool sees part of the attack chain, but no single system connects the dots.

Burton's firm, Coro, is naturally positioning itself as the solution to this problem, offering what it describes as a unified platform covering email, endpoint, identity, and cloud security. The company claims its system can automatically detect and remediate "99% of common threats" including malware and phishing. That's a marketing claim worth treating with appropriate scepticism — no security system is infallible, and "common threats" is conveniently undefined — but the underlying premise about consolidation reducing complexity has merit.

The broader trend is clear enough without taking vendor claims at face value. Organisations are actively trying to reduce vendor sprawl, both to cut costs and to simplify management. Gartner research from late 2024 found that "platform consolidation" ranked among the top three priorities for security leaders, driven equally by budget pressures and operational efficiency concerns.

A single point of failure

The consolidation pitch raises an obvious question: doesn't putting all your security functions in one platform create a dangerous single point of failure? If that unified system goes down or contains a vulnerability, your entire security posture collapses.

A misconfigured integration between separate tools is far more likely than a platform-wide failure. We see it constantly — teams think they're protected because they've bought the right products, but nobody realised the API connection stopped working three months ago.

Burton acknowledges the concern but argues the risks of fragmentation are worse. For mid-sized UK businesses, the choice increasingly feels like selecting the least-bad option. Traditional enterprise security stacks require six-figure budgets and dedicated staff. Fragmented point solutions create operational complexity that lean teams can't manage. Doing nothing risks both catastrophic breaches and regulatory penalties that can reach millions of pounds under NIS2.

What comes next

The compliance crunch will intensify before it eases. As the UK Cyber Security and Resilience Bill progresses and enforcement of NIS2 and DORA ramps up, regulators will expect demonstrable evidence of continuous monitoring and rapid response capabilities. Firms that can't produce audit trails or incident response documentation will face penalties.

This regulatory pressure may accelerate market consolidation in unexpected ways. Mid-sized businesses that can't afford compliance may become acquisition targets for larger firms with established security operations. Others may exit certain markets or abandon expansion plans that would bring them into scope of new regulations.

The platform consolidation trend — whether through Coro or its competitors — addresses symptoms rather than causes. The fundamental problem is regulations designed with enterprise assumptions applied to organisations operating on SMB budgets. Until that mismatch is acknowledged, growing companies will continue rethinking their cybersecurity strategies to navigate the impossible equation of increasing threats, tightening regulations and lean IT resources. As industry experts increasingly argue, weathering cybersecurity incidents requires more than operational resilience — it demands a fundamental rethinking of what collective resilience means.

This article is for informational purposes and does not constitute financial or regulatory advice.

More articles by Ross Williams