In the last few years, many large businesses have overhauled their approach to cyber security. The rise of remote working forced them to bring forward long-planned upgrades to both security technology and processes, resulting in far better data security across the board.
On paper it seems like very good news, but it isn’t necessarily for everyone. Why? Because the majority of cyber criminals are opportunists looking for the quickest and easiest way to make the maximum amount of money possible from victims. Consequently, they tend to target larger businesses that have more assets for exploitation. However, as these large businesses continue to shore up their cyber defences, cyber criminals have started looking elsewhere for easier targets, and many of them are turning their attention to lesser protected mid-market enterprises instead.
Cyber security is a growing concern for mid-market enterprises
A recent study by Barracuda Networks found businesses with fewer than 100 employees are 350% more likely to be victims of cyber attacks compared to larger organisations. When these findings are combined with the reported 600% increase in cyber crime over the pandemic, the outlook for mid-market enterprises starts to look pretty grim. Of course, that’s not to say these organisations have been resting on their laurels when it comes to cyber defences, but smaller budgets and fewer resources makes it almost impossible to match the sophisticated warnings and protections that large enterprises can muster.
Cyber risk insurance isn’t the solution it seems
In response, some mid-sized businesses have tried to mitigate damages through the use of cyber insurance. At first glance, cyber insurance seems to be a pragmatic way to reduce the risks of cyber crime. Insurance can seem a cheaper option than maintaining strong cyber security internally. It’s intended to safeguard an organisation financially against the damage caused by any cyber threats. Cyber insurance policies generally stipulate certain levels and measures of prevention but meeting these doesn’t necessarily mean a business is fully, or even well protected.
As with all insurance, there is also the risk of claims being denied for an increasingly diverse and complex array of reasons, or pay-outs being smaller than needed to mitigate the disruption and damage caused. Cyber insurance can also cause complacency: if the risk or threat has been removed in the short term, there’s less immediate pressure to focus on long-term mid-market enterprise cyber security. Exposure and claims could cause further insurance premium increases or put firms at higher risk of a pay-out being denied, all at a time when global advisors are reaching out to businesses to not pay ransoms at all.
Prevention is better than cure
In today’s cyber threat landscape, it is no longer an ‘if’ but a ‘when’ – organisations must assume they will be compromised at some point. And, like so many things in life, prevention is always better than cure, and the cyber security market is certainly no exception. In the event of a successful breach, even heavy financial compensation is unlikely to make up for reputational damage and loss of customer trust incurred by victims, not to mention business disruption or unplanned downtime caused as a result.
What can mid-market enterprises do to reduce their chances of being attacked?
A key cyber security strategy – and highly cost effective one – for all businesses is increasing employee awareness. Cyber attacks are often successful due to employee error. For instance, if an employee is unaware of the tools used by criminals, such as phishing emails or infected links, they can easily click on them and let criminals in, making their business far more susceptible to cyber breaches. Regular and thorough employee training has been shown to be a very effective defence against cyber crime.
From a technology perspective, cyber security can be a more complex business, but there are core activities that every organisation with a digital presence should have in place. The start point must be reviewing how the business currently protects its users and systems to identify gaps and weaknesses. Mid-market enterprises must have monitoring in place to detect compromised email accounts and suspicious messages. Threat responses can be automated to streamline security. However, keeping cyber security software and protocols up to date is essential. With cyber criminals refining their attacks every day, it’s vital to have the latest defence tools and detection in place.
Managing cyber security in-house can also put a strain on the budget and resources of a business. For this reason, many choose instead to partner with a cyber security specialist who understands the unique needs of mid-market enterprises and the challenges they may face.
Third party consulting and compliance services are an effective way for businesses to reduce their vulnerability. Mid-market enterprises can assure themselves that the organisation is compliant with data protection and other security regulations. In many cases, they also gain access to third party industry experts through their security partners, who can advise on key decisions and help develop and implement a robust cyber security strategy to safeguard assets and reassure customers.
Finally, regular penetration testing and security assessment are also a great way for mid-market enterprises to gain insight into the weak points of their infrastructure, systems, and processes, enabling them to strengthen their security and minimise vulnerability to attacks.
Events of the last few years have turned the cyber security spotlight onto the mid-market in a big way. But, instead of simply relying on cyber risk insurance, there are plenty of options available that can help prevent organisations from becoming victims in the first place, rather than making the aftermath less painful. Properly training staff, working with security experts, and regularly testing existing cyber defences are all great ways to deter criminals and keep sensitive data safe.
Robert is Cyber Security Product Director at Six Degrees. He is responsible for providing strategic guidance and planning across Six Degrees' entire cyber security portfolio, ensuring product success by championing cyber security product development while assuring clear understanding of complex products for clients.
With over 25 years of experience in the technical infrastructure, technical audit and cyber security products and services fields, Robert's cyber security credentials include PMI, PRINCE2 and hybrid project management, CISSP, and ITIL.
Robert can deliver complex cyber security solutions to a wide audience, explaining in terms that suit multiple levels of understanding. He applies this ability to a number of thought leadership activities, spreading cyber awareness both inside and outside Six Degrees.