When it comes to cybersecurity attacks, threat actors are frighteningly impartial. Every organization, regardless of size, is a target. Every piece of data is invaluable. The numbers, particularly for mid-sized businesses, though, speak for themselves. According to Verizon’s 2023 Data Breach Investigations Report, 43% of all data breaches involve these sizes of businesses. In fact, over 48% of medium-size enterprises reported a cybersecurity incident last year, according to StationX. More tellingly, Verizon further stated that of 699 cybersecurity incidents impacting these entities investigated in the last year, 381 involved confirmed data disclosures. In comparison, the total number of incidents for large companies was 496, with 227 of them involving confirmed data breaches. Clearly, these companies are more vulnerable, likely because they provide a “balance” between two worlds, experts believe. On one hand, they maintain valuable information, such as employee and customer records and the organization’s financials. On the other, their digital infrastructure may have less resources dedicated to cybersecurity and more dated security infrastructure and practices than larger organizations. Not to mention, they often have under-trained or under-skilled personnel managing and responding to threats. Given these circumstances, it’s not surprising that Verizon believes only 14% of mid-sized businesses are prepared to defend themselves.
So, how should these organizations approach the cybersecurity challenge?
The first step is, arguably, letting go of the belief that “this won’t happen to us.” It can and it does! It doesn’t matter if their data is not ’on the level’ of large enterprises. The threat actors are usually just looking for an easy payout. All in all, they often consider it as a low-risk, low-effort undertaking!
The second step is to understand that investing in cybersecurity is not a one-size-fits all exercise. It is critical to understand and implement not just a sound cybersecurity program, but foster a culture of cybersecurity awareness, as well. But, where to begin?
So, how much does a cyberattack cost a business? IBM’s Cost of a Data Breach report provided an intriguing, yet startling, perspective.
Overall, companies with less than 5,000 employees registered a significant increase in the average cost of a data breach. The report highlights that organizations with fewer than 500 employees reported that the average impact of a data breach increased from $2.92 million to $ 3.31 million – a 13.4% hike. Those with 500–1,000 employees saw an increase of 21.4%, from $2.71 million to $3.29 million.
Monetary losses aside, organizations also stand to lose their customers’ trust. When customers become aware that their data is compromised, they are more than likely to switch brand loyalties overnight.
The bottom line is simple, a cyberattack can cost you more than just operational downtimes and financial losses. The bigger picture is recovering from compromises, with your brand integrity intact. After all, industry reports cite that 60% of these mid-sized enterprises that experience a successful cyberattack closes its doors within six months!
The cybersecurity challenge clearly weighs heavy on the minds of all business leaders. How best can the issue be addressed?
According to Reveal Risk, the easiest place to start is to ensure that time and money are invested in a balanced manner across people, processes and technology. To get a clearer picture, in fact, these mid-sized enterprises may do best to collaborate with an experienced outsourced service partner (like Quatrro) to not just improve their overall cybersecurity stance, but to maximize their ROI value, as well! They can help you identify the best strategy and use of the resources to bring you the strongest defense.
All organizations, regardless of size and complexity of security infrastructure, can still experience a cyberattack, owing to human error. Re-emphasizing this fact is the World Economic Forum, which has said that a staggering 95% of all cybersecurity incidents are a result of human error!
To address this, businesses must foster an organizational culture that promotes cybersecurity awareness and training.
A few useful tips and tricks from the Global Cybersecurity Association can help enhance an organization’s cybersecurity stance:
So, when developing a cybersecurity strategy, what should be most important to keep in mind? According to experts, an ideal plan aims at continuously monitoring your system and assessing threats. This, coupled with a professional security risk assessment is what makes (or breaks) any cybersecurity program.
In a nutshell, a risk assessment is a systematic process of identifying, analyzing, and evaluating potential risks to these enterprises’ information assets and systems. It is a framework for assessing the likelihood and impact of threats. Per industry reports, effectively executing a risk assessment exercise entails highlighting the following components:
For more information about conducting an annual risk assessment, check out this recording of a webinar we conducted with a cybersecurity expert with 25+ years of experience, including 12 years at the White House Communications Agency.
For mid-sized enterprises unsure of how to embark on their cybersecurity journey, the National Institute of Standards and Technology (NIST) offers a simple approach. The framework focuses on five core principles: Identify, Protect, Detect, Respond, and Recover. Any businesses can begin with a self-assessment, to identify their current cyber posture and their corporate assets. Thereafter, these organizations will have an educated and informed starting point for their cybersecurity plan.
Consider the following processes to ensure your cybersecurity program remains robust:
Cyber resilience, as ResilientX Security puts it, is about assembling the right strategy at the right place, to form a holistic defense.
They highlight that an enterprise can adopt two approaches to building (and maintaining) cyber resilience:
This entails putting proactive security measures at the forefront, to ensure your cybersecurity defenses stay strong. Typically, these include:
2024 is expected to be a busy year for cybersecurity – especially with AI and ransomware anticipated to take center stage! A few notable trends to look out for (and ramp up your defenses) include:
Creating (and maintaining) a strong cybersecurity infrastructure is a continuous process. Mid-sized enterprises will benefit from continuing to invest in this infrastructure while also ensuring ongoing update and evolution. After all, cyberthreats are only projected to become more malicious over time!