Cyber adversaries don’t just pick their targets from among the world’s biggest brands. Just as global internet access has leveled the playing field for competition, it also means no target is too small to be noticed. And the midmarket’s attitude toward cybersecurity definitely still has room to grow and improve. According to a National Center for the Middle Market survey, 55 percent of midmarket companies lack either an up-to-date cyber risk strategy or any defined cyber risk strategy at all.
There are things you can do today to start improving your cybersecurity posture that don’t require writing a big check. In fact, uncoordinated investment in piecemeal protection systems may promote a false sense of security while doing little to improve your situation. “Spending thousands and thousands of dollars on cybersecurity protects you — on the first day,” said Darren Learmonth, vice president of innovation for identity solutions provider HID Global. “On the second day, there will be a new persistent threat.”
Instead of focusing solely on technology, put these ideas to work.
1. Be direct with employees about their responsibilities.
In companies of all sizes, social engineering remains a huge attack vector. Most midmarket executives acknowledge that a social engineering attack probably will compromise systems over the next year. “Employee education and awareness is one of the best investments in protection,” said Tyler Leet, director of risk and compliance services at CSI, developers of financial services infrastructure. “And you don’t have to invest tens of thousands of dollars in equipment to minimize employee mistakes.”
Focus on demonstrations of just how easy it is to fall prey to common phishing strategies, whether by clicking on email links to malicious sites or plugging in a wayward thumb drive. Once employees understand the power of these cyberattacks, they will be better versed in how to recognize them — and they’ll know to report them before they hit your organization for real.
Also, take steps to cut down on casual daily exposure of your business, particularly among travelers. Shoulder-surfing is as old as the trade secret, and even easier to exploit when cameras are everywhere.
“Spend $50 on a really good privacy filter for everyone,” Learmonth advised. “I can’t begin to tell you the number of people who pull out their laptops next to me on an airplane and have their full P&L spreadsheet or source code visible.”
2. Assess risk in a mature, priority-driven way.
Be realistic. Just as there is no Santa Claus, there is no such thing as perfect invulnerability in this age of elevated cyber threats. “If you’re aiming to be bulletproof, you’re setting yourself up to fail,” Leet said.
Instead of aiming for the impossible, focus your protection efforts on the assets that matter most to you — and those with the greatest appeal for attackers. As Learmonth suggested, “Ask yourself: What’s the value of what you’re trying to protect, and how much would an adversary spend to get your secret sauce, be it your patent portfolio or designs for next year’s products?”
3. Tighten access controls in a systematic way.
It’s time to address overreliance on passwords in a sane and coordinated way. Don’t just introduce more stringent controls on frequent password changes and increasingly complicated strings of characters. Such approaches typically drive people to write their passwords down, undercutting security.
Instead, coordinate your approach to authentication so it makes sense and is consistent with modern cybersecurity theory. The National Institute of Standards and Technology (NIST) provides guidelines for three distinct tiers of authentication based on combinations of passwords, biometrics and tokens. These guidelines help you sort out which combinations actually provide greater certainty — and which are merely burdensome.
4. Stay informed of legal developments at the federal and state levels.
The General Data Protection Regulation isn’t the only important legislation affecting the way midmarket companies store and protect data. As of April 2018, all 50 U.S. states have regulations requiring businesses to notify some combination of government agencies and affected customers of data breaches. And although federal regulations outside of certain high-profile industries like finance and healthcare have typically been treated in a hands-off manner by the federal government, that may soon change as well.
“We saw in the Mark Zuckerberg interview that there’s growing interest in regulating privacy and data online,” said Sarah Fulton Hutchins, a partner in the law firm Parker Poe who specializes in data breaches and privacy issues, referring to the Facebook CEO’s congressional testimony. “At the moment there are no federal, overarching, all-encompassing rules like they have in Europe, but legislation is introduced each year that could very well affect smaller businesses.”
5. Appoint a business-minded cybersecurity czar.
Whether you find him or her in-house or via an outside security contractor team, designate a business leader who will serve as your cybersecurity czar. It’s less common in the midmarket to carve out a position for a full-time chief information security officer (CISO), as large enterprises often do. But it’s important to have a leader who can translate cybersecurity strategy into the language of business risk and opportunity.
Your cybersecurity czar should provide regular threat assessment reports to the C-suite and other key leaders, and evaluate the risks and returns of ongoing cyber investments in products such as cybersecurity insurance.
“A lot of companies assume that they are covered under umbrella policies, and increasingly, they’re not,” Hutchins cautioned. “So buy cyber insurance. It’s cheap. It won’t be in five to 10 years.”