There’s a similar story happening in cybersecurity, as media coverage of the high-profile data breaches at Fortune 1000s spark our outrage, provoke our interest and ignite our fears, even though such large organizations are well-prepared to remediate and pay for the damages incurred.
However, it is the millions of unreported or underreported cyberattacks on mid-market businesses that are proving the most devastating — although you probably have not read about them in the mainstream news.
The Underreported Threats Reign Supreme
Mid-market companies are generally aware of the threats and vulnerabilities compounding their risk, but they cannot, or will not, take sufficient action to protect themselves. According to a report by the National Center for the Mid-Market [note: link opens a PDF], 86 percent said cybersecurity was important, but only 45 percent said they have a defined cybersecurity strategy that is current and reviewed at least annually.
Last summer, as hackers penetrated Equifax and stole the personal data of more than 145 million people, a digital crime wave targeting thousands of mid-sized businesses was thriving under the radar.
While the spotlight was on this breach, the same time period consisted of events like the $2,000 ransom an insurance broker was forced to pay to regain access to his computer, the phishing attempt that convinced a controller at a construction company to wire $5,000, and the malware that swiped personal information from dozens of a law firms’ clients. In total, cybercrime now costs (due to damage or theft of IT assets and infrastructure as well as disruption of normal operations) mid-market companies over $2.2 million on average per attack [note: link opens a PDF].
Attacks like these now happen every day because much as a robber considers a homeowner an easier target than a highly secured bank, cyber criminals now view smaller businesses as an easier alternative to the increasingly well-defended enterprise.
The Necessity of Enterprise-Grade Security for the Mid-Market
Opportunistic hackers often seek the path of least resistance, therefore viewing the mid-market as easy prey. According to the Verizon Data Breach Investigations Report, 61 percent of breaches hit smaller businesses in 2017, up from 53 percent the previous year. To make matters worse, many small businesses simply can’t recover from these attacks. A report from the Ponemon Institute found that it costs an average of $690,000 to clean up damages. Astoundingly, six out of 10 small businesses go out of business within six months of suffering an attack.
Today many SMEs are adopting cloud-based solutions and “work from anywhere” policies. While such structures enable these companies to grow, the unintended consequences are that they reduce control over the network access, thereby increasing risk of employees engaging with unmonitored connections and unmanaged networks.
Infrastructure such as cellular and Wi-Fi networks can have their own vulnerabilities as well, and devices can be compromised with insufficient firewalls, anti-malware and outdated operating systems. And while many organizations offer virtual private networks (VPN) for employees to access information remotely, they do not eliminate the risks, especially if the VPN connects to a malicious network. Cloud services such as G-Suite, Office365, Dropbox and Salesforce all have strong security, yet they still remain vulnerable to phishing, malware, malicious insiders and other advanced cyberattacks.
Ultimately, these cloud-based business apps introduce as much risk, if not more, as they provide reward.
Geographic Vulnerabilities Add Risk to Remote, BYOD Workers
In addition to the BYOD and cloud-based business app risks, many mid-market leaders are unaware of the cyber threats outside of the office environment. Between December 2017 and May 2018, Coronet analyzed mass amounts of data to measure both threats and vulnerabilities in specific locations, finding that much like physical crime, risk varies dramatically by geography.
Consider these numbers from our Coronet report [note: link opens a PDF]:
- In Houston, there is a 46.5 percent probability of a device connecting to a medium or high-risk network.
- In Memphis, 11 percent of devices have no password security.
- In Tampa, five percent of devices are using a non-original operating system.
- In one suburb of Providence, RI, 19 percent of devices have no password protection.
- In Las Vegas, cyber threats exceed the national average in every network and device vulnerability category.
Such risks are especially problematic for mid-sized businesses whose employees are very likely to use their own devices and work from offsite locations in which Wi-Fi is at risk of being highly insecure.
Attackers have shown their cards and the mid-market represents an extremely valuable alternative to the well-defended enterprise. That’s why it’s time for the mid-market to take cybersecurity as seriously as the enterprise, even as financial and operational constraints remain.
An attack or vulnerability exploit against just one employee, machine or system could put the entire company out of business — although if that were to happen, you probably wouldn’t see it mentioned on the evening news.
About Dror Liwer
Dror Liwer is the founder and CISO of Coronet, an award-winning cloud security company that helps mid-sized and small businesses protect cloud apps from unauthorized access, data theft and malware/ransomware for free.