The second post in a new series focused on insights from the National Center for the Middle Market’s research initiatives, this article looks at cybersecurity practices in the middle market and offers insight on how to better protect your business from attacks.
Over the past two years, just 17% of middle market companies say they have experienced a digital disruption, such as a cybersecurity attack, server breakdown, or system failure, according to the National Center for the Middle Market’s recent study on business risks. Security experts, however, say that number is quite low. And the reason is that most companies simply don’t know they’ve been hacked.
“People set up these great big walls, they buy IPS, they buy antivirus, they buy products that look for vulnerabilities and look for attacks. But they have very little breech detection. So really, they just don’t know what they don’t know,” Joey Muniz, Cisco Security Architect, said in the Center’s Risk and Resilience webinar on March 21.
Indeed, according to the Center’s cybersecurity report from December 2016, 75% of middle market companies believe they have never been hacked. And while the vast majority (86%) say cybersecurity is important, their plans don’t mirror their concerns: Fewer than half of middle market companies have a current, regularly-reviewed cyber risk strategy in place.
3 Reasons Why Digital Disruptions Happen
Obviously, a lack of a well-defined cybersecurity strategy can leave companies vulnerable. Muniz described three other factors that contribute to digital disruptions:
- Too many devices and too many device types. Specifically, IoT devices can be a gateway to your network because companies can’t put antivirus or other common security products on these devices. They must protect around the devices instead, and this can be a major challenge for many companies.
- People don’t understand the entire attack. Most companies use antivirus and IPS products to prevent attacks. But they don’t have capabilities in place should something breech one of these systems. As a result, they are only defending against half of the attack.
- A false sense of security. Companies invest in security products and receive data from those products, which makes them feel safe. In reality, few companies know how to manage and interpret the data from disparate systems to answer security questions and fully understand their cybersecurity situation.
A Framework for Managing Cyber Risk
What would you do today if you knew you were going to be breeched tomorrow? Muniz discussed this idea in our webinar. The Center’s recommendation is to develop a three-pronged approach that can help you better understand risk, protect your operations, and respond more quickly to disruptions.
- Sharpen reconnaissance. At least once a year, board-leaders need to be reviewing your organization’s cybersecurity strategy and making updates as needed. In addition, you should be maintaining real-time threat monitoring on an ongoing basis.
- Improve resilience. Several steps companies need to take include backing up their data, fully training all employees on security practices and protocols for external communications, and regularly reviewing and updating legal risk and cybersecurity insurance.
- Prepare for recovery. Companies need a disaster recovery plan that includes pre-identifying all resources that will need to be in place post-attack. More than a quarter of firms currently don’t have a documented incidence response plan, according to our December 2016 cybersecurity report. Knowing what you would do—and running fire drills or practices—can help ensure you’re ready to respond as soon as an attack is identified.
Reduce your digital risks today.
To learn more about digital disruptions and cybersecurity, visit the Center’s Cybersecurity Resource Center for access to our latest content and practical recommendations for better protecting your information and systems.
Others in this series
Middle Market Indicator Foreshadows Inflation Concerns
How Universities Can Help Ease Your Talent Challenges
The Bottom Line: Mid-Sized Businesses Are Hot Targets for M&A.