• United States




What midsize companies need to understand about cybersecurity threats

Nov 30, 20174 mins
CybercrimeData and Information SecurityTechnology Industry

It's easy for midsize company to trick itself into thinking the cyber threats that apply to large enterprises don’t apply to them. Unfortunately, a quick glance at the news shows that simply isn’t true.

malware cybersecurity skull crossbone
Credit: Thinkstock

Understanding risk is the first step towards a strong cybersecurity posture. From ransomware to compromised passwords, midsize organizations ($10m to $500m in revenue) are facing many of the same compliance and security risks as their larger brethren. Yet for reasons ranging from costs to staffing to ever-evolving threats, midsize company CEOs often fail to take the preventative and responsive actions they need to close the door on compliance and security threats.

The stakes are high. According to Ponemon Institute’s 2017 State of SMB Cybersecurity Report, which surveyed more than 1,000 IT professionals in North America and the U.K., more than 61 percent of SMBs have been breached in the last 12 months, compared to 55 percent in 2016. In addition, the average quantity of stolen data in an average breach nearly doubled to 9,350 records from 5,079 in 2016.

The survey found that many of these incidents are caused by negligent employees, meaning that efforts to preach security awareness in many organizations are falling short. One of the reasons security programs fail to have the intended impact is because they do not consider the intended audience and their risk assessment.

Strong leadership and strategy 

Unsurprisingly, addressing cybersecurity takes strong leadership. Many mid-market companies however do not have a chief information security officer (CISO) who is empowered to drive change across the organization. Today’s CISO needs to approach their job with an understanding of both technology and business risk. Limited budgets mean limited resources, and limited resources require that leaders understand where it’s best to spend time and money.

According to a 2016 survey of more than 1,000 C-suite mid-market executives by the National Center for the Middle Market (NCMM), more than half of U.S. middle market companies did not have an “up-to-date” strategy to address cybersecurity risks, while 30 percent had no action plan at all.

Developing a cybersecurity plan that maps to business risks requires detailed discussions with corporate stakeholders about the company’s most vital business priorities and the technology supporting them. This is particularly important as companies pursue opportunities for efficiencies in the cloud, which can raise new issues related to management, regulatory compliance and security.

These conversations should take place in the language of business leaders. Focus on the return on investment for certain security controls – for example, what would the financial impact be if a breach occurred because the controls were not in place.

Security however involves more than just investing in tools. Like many large enterprises, mid-market companies are challenged to hire and retain talented employees. Spending millions on tools may appear to solve problems, but without a team with the right expertise, those tools may not even be leveraged effectively.

Technology after all, can only go so far – the human firewall is just as important. Just as negligent insiders can pose a threat, so too do phishing emails and social engineering. Having employees that can successfully identify malicious emails and suspicious behavior will strengthen your security posture.

Risk and reward

A risk assessment that evaluates everything from relevant compliance regulations to software patching to vendor management programs is also an important part of knowing where to begin. These assessments should not be one-time events – as threats and compliance regulations emerge and evolve, failing to change with them can leave your organization vulnerable. In addition, threat intelligence about ongoing attacks and emerging attack activity should be used to keep your security defenses and strategy up-to-date and effective.

As your organization grows, data classification policies, as well as the security controls protecting corporate data, need to be continuously examined and assessed for their efficacy.

Remember, in the eyes of attackers, bigger may not be better. Bigger businesses often have stronger security programs, larger budgets and more staff, making them less attractive targets for attackers than mid-market companies. By being aware of the intersection of business and technical risks and using that knowledge to shape strategy, leaders at mid-market companies can put themselves in better position to mitigate threats that can disrupt operations.


Jeff Schilling, a retired U.S. Army colonel, is Armor’s Chief Security Officer and is responsible for the cyber and physical security programs for the corporate environment and customer-focused capabilities. His areas of focus include cloud operations, client services, quality analysis, software development and engineering.

Previous to joining Armor, Schilling was the Director of the Global Incident Response practice for Dell SecureWorks where his team supported over 300 customers with incident-response planning, capabilities development, digital forensics investigations and active incident management.

In his last military assignment, Schilling was the Director of the U.S. Army’s global Security Operations Center under the U.S. Army Cyber Command.

The opinions expressed in this blog are those of Jeff Schilling and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.