Top management support for cybersecurity in medium-sized companies has grown by 30% compared to last year, which is essential to align the cybersecurity strategy with the company’s objectives and integrate cybersecurity into the organization’s culture. This is one of the conclusions of the II Barometer of Cybersecurity in Medium Enterprises, which has just been published by Cylum, the Factum business unit that offers managed cybersecurity services adapted to the needs of this type of companies.
However, this is not accompanied by an increase in investment, with 70% currently dedicating less than 5% of their overall IT budget to cybersecurity, only 1% more than the previous year. Even so, throughout 2026, 60% of these companies plan to increase the budget allocated to strengthening their cybersecurity, while the remaining 10% plan to reduce it.
Training, investment and adoption
One of the reasons for the lack of investment in cybersecurity is related to the level of cybersecurity maturity, which 4 out of 10 IT managers rate as intermediate. This implies an implementation of basic measures, without formalized processes, which requires training, investment in infrastructure and the adoption of best cybersecurity practices.
30% of organizations are at an intermediate level of protection. These companies have defined cybersecurity strategies, but with areas for improvement, such as the need to reinforce their policies, monitoring and incident response capacity, with the aim of moving towards a more advanced level of cybersecurity.
Another conclusion is that, although some companies choose to outsource IT services, almost a third (30%) have one or two suppliers specialized in cybersecurity, while 10% work with more than five. This reflects growth in the adoption of specialized cybersecurity services and a reduction in exclusive support from internal resources or non-specialized providers.
62% of midsize businesses still struggle to comply with key regulations such as GDPR and NIS2. This may be due, according to 80% of these professionals, to a lack of financial resources and a shortage of qualified cybersecurity personnel. In this context, Cylum experts recommend the adoption of frameworks such as ISO 270001 to standardize cybersecurity and minimize sanctions risks.
Ransomware continues to be one of the great threats
Among the main risks identified by IT managers, phishing attacks and social engineering stand out, which are the most highlighted threats in the field of cybersecurity. Along with them, ransomware continues to be one of the most critical cyber threats for companies. Another relevant risk identified in the study is vulnerabilities in systems and applications, which reflect the difficulties that many organizations continue to have in managing cybersecurity in increasingly complex and distributed infrastructures.
Almost a third (30%) of companies have one or two specialized cybersecurity providers, and 10% work with more than five
“The results show that there is a growing awareness of cybersecurity risks, but many organizations still have difficulties translating that concern into real defense capabilities,” explains David López, director of operations and pre-sales at Cylum.
The complete report of the II Barometer of Cybersecurity in Medium Enterprises can be consulted and downloaded through the Cylum website. In addition, the study has had the collaboration of leading technological partners such as Cato Networks and Sophos, reinforcing the cybersecurity ecosystem in the business field.
