Businesses confronted with the risk of cybersecurity attacks need to avoid falling into the mindset that “it can’t happen to us.”
Even middle market companies lack adequate cybersecurity protection and often are unaware when attacks take place, according to a recent survey conducted by the National Center for the Middle Market.
“I think cybersecurity started as a big company problem,” said Doug Farren, managing director of the organization, which is headquartered at The Ohio State University. “You see all the well-publicized hacks, and I think the mindset of the middle market company is ‘well, we fly under the radar. We may be a B2B company and no one is coming after us.’”
However, Farren notes the danger in that sentiment, especially in an age when cybersecurity attacks are becoming a more normal part of doing business.
“The problem, as we see, is that a lot of companies as they responded to our survey are saying, ‘No, we don’t think we’ve been a target of a hack,’” Farren said. “But in reality that may have already occurred and they just haven’t discovered it yet.”
The study, which included companies with annual revenues ranging from $10 million and $1 billion, showed the majority of respondents either did not have a defined cybersecurity strategy or had a strategy that was not up to date.
The study also found 75 percent of respondents thought they had not been the victim of a cyber attack. Another 16 percent stated their company had been subjected to an attack.
According to the study, most of the hacked companies were growing more rapidly than in previous years, were more likely to have been expanding into new international markets and had greater difficulty accessing capital.
The National Center for the Middle Market presented its cybersecurity study during a January event hosted by the Western Michigan chapter of the Association for Corporate Growth in Grand Rapids.
While the study notes that companies in health care, financial services and retail are concerned about cybersecurity, it’s a “misconception” that only those sectors are exposed to hackers, said Randy Brinks, founder of Grand Rapids-based RedRock Information Security LLC.
Instead, hackers monitor vast amounts of network data looking for vulnerabilities, regardless of industry, he said.
CONCERNS OVER COST
Although many cybersecurity experts predict the rate of cyber attacks will continue to increase, many businesses simply put off spending the money required to implement cybersecurity best practices and technology, according to Brinks.
“It’s still difficult to get those middle market companies to spend money (on cybersecurity),” Brinks said. “Then even if they have a breach, they’d rather sweep it under the rug, even when they have a chance of 10,000 Social Security numbers going out the door.”
However, companies don’t have to invest thousands of dollars to begin implementing cybersecurity best practices, Farren said.
“Cybersecurity needs to become part of the regular business discussion,” he said. “They are probably talking about growth plans and looking at the financials and thinking about their talent plans, but cybersecurity probably needs to become a regular part of those leadership meeting agendas.
“We’re not saying you need to go out and hire a head of cybersecurity, particularly if you’re a $30 million company, but it may make sense to outsource it to someone that can come in with the expertise and skills and take that off the plate of the leadership team, and can provide best practices and additional security and recovery measures.”
BUILDING A SECURITY-MINDED CULTURE
Despite even the largest investments in technology and equipment, an organization’s best cybersecurity defense often falls to its people. That’s because the best and most expensive cybersecurity systems can be defeated by an employee’s poorly kept password or the careless click of a link.
Instead of elaborate attacks, some hackers attempt to trick workers to install malicious software through what’s known as phishing. In a phishing attack, hackers will send legitimate-looking emails to employees, often from an executive’s email account, asking for credentials or for the worker to download an application that will allow the hacker into the company’s system.
“Imagine a middle market company with 100 employees and you get an email from the CEO that asks you to send data or a password,” Farren said. “You’re probably going to do it. There’s no real reason for you to distrust that email.”
Attacks where an executive’s email address is hacked to trick employees — also known as business email compromise (BEC) — are expected to be a “more attractive mode of attack” in 2017, according to a recent Security Predictions report by Trend Micro, a global I.T. security firm.
According to the report, cybercriminals on average glean $140,000 per successful BEC attack. That compares to the $722 that hackers receive from the average ransomware attacks where they hold data until companies pay a fee.
“I think it’s a training thing. Employees need to not be in fear of questioning or verifying,” Farren said. “What are the steps I need to follow if I get a request and it seems suspicious to me? Without something defined and shared broadly, people will be forced to use their own judgment and unfortunately that can be the failure point.”
For his part, RedRock’s Brink says the human element is “always the weakest link” in cybersecurity. To remedy that, his organization offers its customers continuous training to teach workers how to spot and avoid potentially harmful links or other cyber attacks.
RedRock also administers “phishing testing” where it sends out mock attacks to workers and tracks which employees click the links. Those employees are then given remedial cybersecurity training, he said. The company also probes its clients’ cybersecurity systems for weaknesses.
Ultimately, sources interviewed for this report said cybersecurity best practices require a variety of strategies, beyond just investing in the most expensive systems.
“It’s the people, process and technology,” Farren said. “You can’t just throw a bunch of money at this or hire a bunch of people.”