Industryweek 12302 Cybercrime

Middle-Market Companies Underestimate Cybersecurity Risks

July 26, 2018
Executives’ optimism that they have the correct systems in place doesn’t match the reality.

Middle-market executives as a group are confident that their companies’ cybersecurity is doing the job, but the data on cyber incidents tell another story.

My company, RSM US LLP, in collaboration with the U.S. Chamber of Commerce, recently surveyed 400 executives on cybersecurity related topics for the Middle Market Business Index (MMBI) Special Report on Cybersecurity. Ninety-three percent of executives stated that they were “confident in their organization’s ability to safeguard customer data.”

But last year, midsize companies with annual revenues of $50 million to $300 million accounted for a fifth of cyber incidents, according to another RSM survey, the NetDiligence 2017 Cyber Claims Study.

Companies with higher levels of income suffered significantly fewer incidents.

This means that attackers aren’t just targeting the big guys and that smaller companies might be at particular risk due to unique qualities including older IT infrastructure.

We also found the following trends in the cybersecurity study:

Not Getting the Whole Story

Information filtering to executives is very common, with only the risks and vulnerabilities that can be mitigated being presened. When an executive approves the implementation of a new hardware or software product, their perception is that it will reduce the organization’s risk or likelihood of attack. Without a full picture of the risks facing the organization, this results in a false sense of security. 

Increased spending on internal security controls and capabilities most likely inflated executive confidence, with 53% of respondents stating that the likelihood of unauthorized users attempting to access data and systems is very or somewhat unlikely. Among the respondents:

·         65% updated security protocols

·         52% purchased new or upgraded software

·         41% updated internal privacy policies

Despite these investments, the number of middle market companies reporting breaches has more than doubled in the past three years. This shows that investments in cybersecurity need to be made with a full understanding of their ability to address the risks facing the organization.

Cyberinsurance Concern

49% of smaller companies do not have cyber insurance policies, and 47% of companies are unfamiliar or only somewhat familiar with what their policy covers. 

Ransomware Issues

Ransomware, which effectively reduces the company’s ability to operate at 100% capacity, changed the game on cybersecurity. 41% of middle market executives view ransomware as likely to occur in their environment, with 18% having already experienced at least one ransomware attack in the past 12 months.

Overlooking GDPR 

Forty-five percent of middle market executives surveyed believe the new European Union General Data Protection Regulations (GDPR) are a major undertaking. While the fines can be severe, only 20% found GDPR to be relevant to their business. However, manufacturing with operations and clients in Europe will need to take a close look at the types of data they are holding not only as a security best practice, but also to avoid potential fines.

Secondary Controls

Outside of user awareness (employees not acting), 63% of middle market companies had secondary controls that prevented the completion of an attack (users acted, but the attack was prevented). Forty percent had systems and controls that outright prevented the attack from reaching the employee (users did not have an opportunity to act).

When I present to boards or participate on steering committees, the most asked question I receive is, “How do I compare to others in the industry?” According to a study by Gartner, the average spend in cybersecurity as it relates to the overall IT spend is 5.6%. This is a good baseline to see if your organization is spending enough to protect itself.

Ken Stasiak is a principal at auditing, tax and consulting firm RSM and the founder and former CEO of SecureState.

Popular Sponsored Recommendations

Shifting Your Business from Products to Service-Based Business Models: Generating Predictable Revenues

Oct. 27, 2023
Executive summary on a recent IndustryWeek-hosted webinar sponsored by SAP

Are You Positioned To Tackle Supply Chain Risk?

Sept. 20, 2023
Supply chain disruption is here to stay, but you can keep ahead of potential issues — and identify new opportunities — by regularly assessing your suppliers. Download our supplier...

Four Common OT Cybersecurity Pitfalls for Manufacturers

April 4, 2023
For the last six years, Dragos has leveraged their Professional Services team to develop an on-the-ground understanding of the realities facing the industrial community and to...

What Does Agility Look Like for Today's Auto Industry?

Dec. 4, 2023
Without modern technologies, enterprises aren't able to fully analyze the risks and respond to ongoing supply chain issues and semiconductor shortages.

Voice your opinion!

To join the conversation, and become an exclusive member of IndustryWeek, create an account today!