Cybersecurity for Mid-Sized Organizations: One Size Does Not Fit All
Oct 29, 2019
If you’re involved in defining, executing and managing a cybersecurity strategy for a mid-sized enterprise, you’ve got a lot on your plate.
For one thing, cyber threats continue to evolve, and are becoming increasingly sophisticated and insidious. Unlike larger companies, you may lack the resources and bandwidth to keep up with these constantly changing risks. As a result, you may have succumbed to the temptation of complacency by relying on vulnerable and outdated “set it and forget it” security solutions. Which makes you especially vulnerable to devastating attacks.
It gets worse. If you assume that, as a smaller organization, you’re a less attractive target, think again. From a hacker’s perspective, you’re actually just as appealing because you’re easier to breach. As for the consequences, mid-sized organizations are significantly less able than larger businesses to recover from system down time and lost revenue. Citing various sources, a recent CNBC report found that cyberattacks cost small companies $200,000 on average, and that 60 percent of these victims go out of business within six months. And while 43 percent of cyberattacks are aimed at small businesses, only 14 percent are prepared to defend themselves.
You also confront the harsh reality that effective security solutions are not bowls of vanilla ice cream. While every business must manage common risks such as ransomware, phishing, insider threats and Distributed Denial of Service (DDoS) attacks, security requirements vary by industry.
- Financial services firms – even smaller entities such as regional banks – typically operate in complex, multi-vendor environments, and must ensure visibility across the entire supply chain of service delivery. Moreover, they face increasing regulatory scrutiny and a wide range of confusing and constantly evolving requirements.
- Law firms face service management and regulatory challenges. And because compliance requirements are in many cases defined by individual clients rather than government bodies, the standards can be especially confusing.
- In the healthcare sector, regional hospitals and clinics confront strict security requirements around protecting patient data and privacy, along with integration challenges related to sharing data with payers. These organizations often face the additional burdens of legacy IT infrastructure and limited resources. And because medical facilities routinely deal with life-and-death situations, they can’t afford to be disrupted by ransomware situations.
- For manufacturers, concerns surrounding Intellectual Property theft make insider threats particularly dangerous. Improperly secured Internet of Things (IoT) devices, meanwhile, pose potentially catastrophic risks.
While industry requirements pose particular security challenges, the specifics of your existing operational environment and strategy further complicate matters. Factors such as a BYOD policy, or a large number of remote employees, or the integration of legacy systems with virtualized asses, can combine to create a truly a unique set of challenges and priorities. That creates even more pressure to get it right.
So how do you determine what security strategy is right for your business?
A critical first step is to identify the most critical forms of data you need to protect – patient information for a healthcare provider, say, or intellectual property for a manufacturer.
Next, define priorities based on the importance of the various assets.
Questions to ask include:
Where and how is data stored?
How does data flow through the network?
What communication links and applications are involved?
One critical consideration here is the protection of data at rest versus data in motion. Most companies focus on the latter, by applying encryption to data being transmitted from one point to another. In the process, they mistakenly neglect data at rest (e.g., being stored somewhere). Healthcare organizations, for example, are susceptible to Patient Health Information (PHI) breaches resulting from the physical theft of laptops from parking lots – laptops containing data that hasn’t been encrypted.
Applying the principle of “defense in depth” is similarly essential – critical assets require layers of back-ups to ensure that, if one mechanism fails, another steps up immediately.
Finally, you need to calculate your appetite for risk – and here things can get tricky. Obviously, you need to focus on protecting against threats that pose a high probability of catastrophic failure. But how much effort should you devote to ensuring you’re safe from a miniscule risk with a struck-by-lightning level of probability?
Suffice to say, the task of defining, implementing and managing a cybersecurity strategy is a complicated one involving myriad considerations. Contact us to begin the conversation.