Middle-market executives as a group are confident that their companies’ cybersecurity is doing the job, but the data on cyber incidents tell another story.
My company, RSM US LLP, in collaboration with the U.S. Chamber of Commerce, recently surveyed 400 executives on cybersecurity related topics for the Middle Market Business Index (MMBI) Special Report on Cybersecurity. Ninety-three percent of executives stated that they were “confident in their organization’s ability to safeguard customer data.”
But last year, midsize companies with annual revenues of $50 million to $300 million accounted for a fifth of cyber incidents, according to another RSM survey, the NetDiligence 2017 Cyber Claims Study.
Companies with higher levels of income suffered significantly fewer incidents.
This means that attackers aren’t just targeting the big guys and that smaller companies might be at particular risk due to unique qualities including older IT infrastructure.
We also found the following trends in the cybersecurity study:
Not Getting the Whole Story
Information filtering to executives is very common, with only the risks and vulnerabilities that can be mitigated being presened. When an executive approves the implementation of a new hardware or software product, their perception is that it will reduce the organization’s risk or likelihood of attack. Without a full picture of the risks facing the organization, this results in a false sense of security.
Increased spending on internal security controls and capabilities most likely inflated executive confidence, with 53% of respondents stating that the likelihood of unauthorized users attempting to access data and systems is very or somewhat unlikely. Among the respondents:
· 65% updated security protocols
· 52% purchased new or upgraded software
· 41% updated internal privacy policies
Despite these investments, the number of middle market companies reporting breaches has more than doubled in the past three years. This shows that investments in cybersecurity need to be made with a full understanding of their ability to address the risks facing the organization.
49% of smaller companies do not have cyber insurance policies, and 47% of companies are unfamiliar or only somewhat familiar with what their policy covers.
Ransomware, which effectively reduces the company’s ability to operate at 100% capacity, changed the game on cybersecurity. 41% of middle market executives view ransomware as likely to occur in their environment, with 18% having already experienced at least one ransomware attack in the past 12 months.
Forty-five percent of middle market executives surveyed believe the new European Union General Data Protection Regulations (GDPR) are a major undertaking. While the fines can be severe, only 20% found GDPR to be relevant to their business. However, manufacturing with operations and clients in Europe will need to take a close look at the types of data they are holding not only as a security best practice, but also to avoid potential fines.
Outside of user awareness (employees not acting), 63% of middle market companies had secondary controls that prevented the completion of an attack (users acted, but the attack was prevented). Forty percent had systems and controls that outright prevented the attack from reaching the employee (users did not have an opportunity to act).
When I present to boards or participate on steering committees, the most asked question I receive is, “How do I compare to others in the industry?” According to a study by Gartner, the average spend in cybersecurity as it relates to the overall IT spend is 5.6%. This is a good baseline to see if your organization is spending enough to protect itself.
Ken Stasiak is a principal at auditing, tax and consulting firm RSM and the founder and former CEO of SecureState.