Think only big companies get hacked? Wrong

blur-close-up-code-546819

Originally published in CNBC

By Jim Proppe

Once a month, it seems, we hear about a high-impact breach of a corporate computer system. The latest is Premera Blue Cross, and before that AnthemSonyTargetHome Depot: These are big companies, and many would assume they were relatively bulletproof. Yet they couldn’t keep the hackers at bay.

Imagine the risks businesses in the middle market face. Not only are they potentially under-invested in cybersecurity, they may not be even aware of the seriousness of the threat.

Why? Many midmarket leaders believe it is a problem only for large, high-profile corporations or those that conduct mainly financial transactions. Or those executives are naïve; they think a serious breach never will happen to their system. When in fact, these things are happening all the time. No one talks about it, because they would rather keep it quiet.

Unfortunately, cybersecurity isn’t just for banks and behemoths. It’s for all businesses, all sizes.

In fact, small and middle-market companies may be more vulnerable to attack because criminals know these businesses do not take substantial preventative measures. 

Companies with 250 or fewer employees accounted for 31 percent of cyber-attacks last year.

Midmarket businesses moving to the cloud may be susceptible to cyber-threats, too. Their data used to be contained on their premises, with links to that data from on-site, wired computers. Today, all of the information is “out there” someplace accessible from the Internet by potentially anyone. While many cloud services providers have the ability to provide better security than the average mid-sized business, the problem comes when those businesses skip the due diligence, such as reviewing SOC reports and other independent third-party security certifications.

Ubiquitous mobile systems and wi-fi also place companies at unusually high risk.

One increasingly common threat is ransom-ware, which can shut down a company’s entire computer system and block access unless a ransom is paid.

More ominous, hackers probably have infiltrated many many middle-market companies already, and the malware rests undetected in a network and incrementally collects data that shows how to access other systems or steal proprietary product information.

Part of the problem, especially with smaller midmarket companies, is that a controller likely set up the IT department, and no data security specialist has been appointed. Or that specialist wears too many hats and can’t keep up with the latest malicious code and software patches.

Executives also may be strictly reactive; they believe cyber-criminals can’t be stopped, so the focus of their security systems is on damage control instead of prevention.

System entry points in the middle market – generally companies with revenue of $40 million to $400 million – often come from the same places as in larger and smaller companies: passwords that are easy to guess, lost laptops, vendor access, uninstalled security updates and patches, as well as employees accessing social networking sites, such as Facebook and LinkedIn, on company computers.

Some of the more esoteric breach points: videoconferencing, networked printers, even thermostats; One leading retailer’s attacker gained access to the company through its heating and cooling system vendor. Hackers even once invaded an oil company via an online menu at a nearby Chinese restaurant.

Cyber-crooks nowadays are also more successful with bogus e-mail attachments. It’s not just the foreign prince asking for your assistance in the e-mail’s subject field anymore. Sometimes, the infected e-mail can come from a trusted contact, a vendor or supplier.

The potential ramifications at middle-market companies are the same as at larger ones: the possibility of fines or lawsuits, the expense of notifying victimized individuals, the specter of further damage, the time spent on credit monitoring and reputational repair. 

Moreover, when cyber-criminals obtain data from one company, it often leads to easier access into other corporations, as well as individuals’ records.

The average cost of a data breach was $5.9 million for all U.S. companies, according to a 2014 study. The most common causes were malicious or criminal attacks (44 percent), followed by employee negligence (31 percent) and system glitches (25 percent).

The intent of the breach is usually information theft leading to financial gain, rather than so-called hacktivism, which appears to be the case in the attack on Sony’s network.

What can midmarket companies do? Consider partnering with a trusted firm to provide relevant advice related to your cybersecurity infrastructure, including technical testing; think twice before obtaining cyber-insurance — it often doesn’t cover much; realize cybersecurity is a business issue, which should be considered as part of the your firm’s overall strategy; monitor networks for unusually high traffic volume; work with your financial institution to implement multi-factor authentication and dual controls for financial transactions; strengthen administrative passwords and, generally, don’t rely on system users — customers or employees — for protection.

The public may not hear much about hacking into midmarket because these businesses in the sector get less attention from the media. The companies may also be shy about publicizing security breaches unless circumstances force them to go public.

Keep in mind, however, that middle-market companies are the fastest growing sector of the U.S. economy and, along with small business, the leading job creator.

True middle-market story: A company, which shall not be named, not long ago asked its 280 employees to try to hack into senior management’s e-mail to test their security. After a month, 240 were successful. Therein lies a sad lesson about the state of cybersecurity today.

Jim Proppe is a group managing partner with Plante Moran, an accounting and advisory firm based in Southfield, MI.