Mid-market companies may not think they are a target for cyber crime, but they are actually at the top of the list.
According to the October 2019 EY Global Capital Confidence Barometer, the biggest fear that middle-market companies have about cybersecurity is reputational damage. Second on the list is operational disruption.
This is no surprise, given the harm that cyber attacks have caused to many large brands around the world. Like them, mid-market firms — those with between US$50m and US$3b in revenue — should be concerned about the reputational damage an attack can cause.
They are also right to be worried about operational disruption, given the size of the potential financial impacts. And mid-market firms should be much more concerned than they are about all the different impacts of cyber attacks, as they are more vulnerable compared to larger organizations and typically have insufficient defenses. The highly sophisticated, ever-changing nature of cyber crime makes it nearly impossible for mid-market companies with scant resources to keep abreast of the threats.
Many attackers aim to use mid-market firms as Trojan horses for attacks on larger companies. Targeting massive companies is relatively more difficult, because these organizations usually have dedicated cybersecurity teams and systems, so an easier way to attack them is through their suppliers. For example, an attacker might try to plant malicious code in the supplier’s application, which will then find its way into the larger company via their business relationship.
Although a breach of this nature would generate more negative publicity for the larger company, the mid-size company would likely suffer reputational and financial damage, as the companies it supplies may cancel contracts and blacklist it. It might not be as public, but it will be financially painful. In a worst-case scenario, this disruption could cause the mid-size firm to go out of business.
Our most important advice on cybersecurity is to not ignore these issues or let them overwhelm you. Do not be afraid to learn and ask questions. That’s much better than waiting for someone to tell you what to do because you have been breached or because additional regulation has been forced upon you. Invest in software development and application security testing. Conduct additional penetration testing on your systems to identify your security gaps. Outsource (or co-source) core security services to trusted providers with the skill and capacity to protect your business.
Our experience with middle-market companies is that they are often reactive rather than proactive — they do not get serious about cybersecurity until after they have been attacked. But if they address these issues sooner, it will cost them far less in the long run.
The full article can be accessed here.
EY Law key contacts:
EY Global Digital Law Leader
EY Global and EMEIA Data Privacy Leader