How middle market firms can deal with data security breach threats

Data security breaches have been rife in the last few years and have focused on hacks against large companies. Cybersecurity should be an even greater concern for middle market companies—those with revenues of $25 million to $1 billion—because they may lack the scale of operations that can offset the costs of a harmful breach.

Small and medium-sized businesses also are seen by security experts as being at higher risk of data attacks because they’re less likely to have sophisticated defense mechanisms in place. And the fallout of the associated reputational damage could be more severe as these companies depend on a smaller universe of customers or suppliers. Indeed, 82 percent of middle market companies said data security is one of their biggest concerns, according to CIT’s 2016 Middle Market Outlook Study.


Focus from the top down

Given the gravity of potential breaches, middle market companies have a strong rationale to put greater emphasis on cybersecurity. There is agreement among experts that an effective cybersecurity program needs solid oversight from the firm’s board and senior management to address what increasingly are the compliance requirements being demanded by regulatory bodies.

“A good cybersecurity strategy is established at the top, regardless of the size of the company,” said Richard Spires, chief executive officer of Learning Tree International, an IT security and training provider.

A company’s security program should identify and categorize the potential risks and threats to the business. This includes identifying and classifying sensitive customer and business proprietary data and implementing appropriate controls to protect it. The policy matrix also should cover key areas requiring special technology support, an education and awareness training framework and a coherent program to deal with incident response and compliance matters.

Middle market companies also are at risk because they’re more likely to rely on vertical relationships to conduct business. One producer of education-oriented digital toys was hacked through an affiliated online store that sold its apps, losing data on children and their parents.

Data attacks through third parties such as suppliers, vendors and customers pose a risk to the full range of middle market companies, from retail and health care to energy, rail and communications. One common vulnerability is through so-called watering holes, or third-party web sites that might be visited by company stakeholders or appear in an industry-specific section of a news website. Attackers place malware in such portals that can infiltrate the company’s own network, but they may also exploit websites with insufficient protection against suspicious downloads or use fake websites aimed at attracting individuals from a specific entity.

Most consumer-oriented organizations these days face additional risk while trying to protect vital information obtained through their portals, especially retail outlets that do online business, and health care providers that maintain private medical records and other information. The Ponemon Institute estimated that the health care industry suffered $6.2 billion in losses due to data breaches in the past two years, with 79 percent of organizations suffering two or more in the past two years, and 45 percent experiencing five or more.

Some security breaches are the result of coding or other errors in third-party systems. In 2016, thousands of confidential employee records held by a county jurisdiction were passed to a large bank because of mistakes in the third-party enterprise processing system being used. Middle market companies need to perform effective due diligence for coding standards and to ensure their relationships have the appropriate information security programs and secure coding.

The human factor is the most important

While security data breaches thrive on vulnerable points in all business organizations, human error or lack of awareness is still the dominant cause. The most straightforward and cost-effective action a middle market company can take is to have a comprehensive security policy with a well-managed awareness, training and compliance program.

“Over half of all data security breaches can be attributed to negligent or malicious employees,” said Jacob D. Koering, co-leader of the cybersecurity and data privacy practice at Miller Canfield, a Detroit law firm. Middle market companies must understand that “employee compliance with security measures has a huge impact on the overall security plan.”


Since email and web browsing are the most effective tools used by hackers to exploit people, employees need ongoing training and awareness to be vigilant about passwords, avoid any clicks that would open links, do not open attachments or respond to emails from unknown sources. These factors become especially important in environments where working at home is an option, where corporate IT security controls are not available to protect remote users on a home or untrusted connection.

Using an ounce of detection

Identity management and data breach detection systems are two of the most effective tools that can be used by middle market companies in the battle for security. “Identity and access management systems are a key component of an effective security plan,” Spires said. Multi-factor authentication, such as text messages sent to a verified phone number or rolling codes that must be entered to grant access, can be implemented to provide an extra layer of security before providing access.

Though they make startling news headlines, data security breaches usually occur over an extended period, as fraudsters scope out the digital territory after they’ve managed to gain access. Breach detection systems monitor and log the activity of potential compromise sites such as database assets, user authentication logs and other vulnerable points. The applications generate alerts whenever the patterns being tracked reveal suspicious profiles that resemble potential attack behaviors or involve suspicious system modifications.

The good news is that the cost of features such as identity management and breach detection applications is coming down rapidly, so they’re getting more affordable for middle market businesses. Cloud technology is one reason for the falling prices, but the increasing frequency of data breaches and the potential costs have also energized a rapidly expanding sector of the tech community.

Keeping current on cybersecurity

As the cybersecurity environment is continually changing, new developments make it easier for companies with limited resources to stay current. A growing number of cybersecurity solutions and price points are aimed at small and medium-sized companies rather than the big operators. CIT found that 40 percent of middle market companies are looking to increase their investment in technology, and 59 percent believe their companies are defined by their ability to innovate.


Other trends in the evolving digital environment make it easier for middle market companies to stay abreast of the latest data security wrinkles, using open threat intelligence communities that collaborate to share actionable threat data. “The threat intelligence market has shifted considerably and a new breed of crowd-sourced threat intelligence and open threat sharing has taken off over the last few years,” said Jim Hansen, vice president of product marketing at AlienVault, a security management firm.

“For mid-size companies, the ability to access accurate, up-to-date threat intelligence is key.”