Information and data security: Understand your risk
RSM US MMBI Cybersecurity Special Report 2018
Data is often the most valuable resource for middle market companies, as information can help make more informed decisions and guide organizational strategy. Unfortunately, that information also carries a high value to hackers and other cybercriminals who seek sensitive customer and employee data or intellectual property.
While many middle market organizations consider themselves too small to be a target, data breaches and breach attempts in the sector are on the rise. In many cases, it’s not a matter of whether an organization will be breached, but when.
RSM’s 2018 first quarter Middle Market Business Index research polled 412 middle market executives about cybersecurity challenges, taking the pulse of the entire segment, and in some cases, providing targeted data for smaller ($10 million to less than $50 million in revenues) and larger ($50 million-$1 billion in revenues) organizations.
In the survey, executives disclosed that they are experiencing more data breaches. In fact, the number of middle market companies reporting breaches has more than doubled in the last three years, with 13 percent of businesses in 2018 claiming to have endured a data breach, compared to only 5 percent in 2015.
There is no denying that the middle market has become a primary target for hackers. The recent NetDiligence® 2017 Cyber Claims Study found that companies with less than $50 million in revenue accounted for 48 percent of cyber insurance claims from 2014-2017, with another 24 percent from organizations with $50 million-$300 million in revenue. All told, companies with less than $2 billion in revenues represented 88 percent of all reported claims.
In addition, for the first time since 2015, a plurality (47 percent) of middle market executives indicated an attempt to illegally access their data or systems is "likely"—a significant increase over just two years ago (39 percent). The percentage of respondents claiming that an attempt is “very likely” also surged to 16 percent in the first quarter, compared to 10 percent two years ago.
The costs related to a data breach can be harmful, especially for middle market businesses. According to the NetDiligence study, the average breach cost submitted for cyber insurance claims from 2014-17 was $394,000, with $56,000 the median. Financial costs are often not the only repercussion related to a breach, with regulatory sanctions and reputational damage often following quickly after an incident.
While hackers are the most common source of data and information losses, organizations must also understand the other threats that could result in losses. In the NetDiligence survey, hackers comprised 27 percent of losses, but malware and viruses (16 percent), lost or stolen devices (12 percent), staff mistakes (10 percent), paper records (9 percent) and rogue employees (8 percent) also presented significant threats.
“While hackers represent the single largest external threat, our claims study data shows that insiders are also a major problem,” said Mark Greisiger, NetDiligence president. “Rogue employees, trusted vendors, staff mistakes, social engineering, improper handling of patient documents, etc.— these types of insider-driven events account for more than half of all losses."
No industry is immune to data loss or theft. NetDiligence is finding that professional services and health care (18 percent each) experienced the largest number of cyber claims in 2017. Financial services (13 percent) ranked third, followed by retail (11 percent), nonprofit (8 percent) and technology (7 percent).
“It’s clear that cyberrisk and losses are occurring in practically every business sector,” said Greisiger. “We used to think that most incidents occurred in one of three sectors: health care, retail or financial services. Our data clearly shows that’s no longer the case. Simply put, regardless of your business sector, your organization is at risk.”
While threats are rising, and new data security challenges emerge as information continues to gain value, most executives remain confident in their existing data security measures. RSM’s research found that 93 percent of middle market companies are confident in their current ability to safeguard sensitive customer data. Despite more breaches being reported and more attempts at illegal data access expected moving forward, executive confidence has risen from 75 percent just three years ago.
This strong confidence in companies’ internal security controls and capabilities is likely driven by increased investments to protect information in response to publicized data breaches.
RSM found that nearly two-thirds of middle market companies (65 percent) updated security protocols, while 52 percent purchased new or upgraded software and 41 percent updated internal privacy policies.
The average investment is still relatively small. A recent Gartner study found that companies average 5.6 percent of information technology (IT) spending on cybersecurity. The rise of breaches in the sector suggests that companies still have work to do to properly defend themselves.
Even with more extensive efforts to curb data breach threats, middle market executives must be careful not to become overconfident and create new vulnerabilities. Criminals are initiating more sophisticated and persistent attacks on internal systems, and can navigate around many protective measures.
“Cyberthreats today resemble a traditional arms race,” said RSM Principal and National Security, Privacy and Risk Leader Daimon Geopfert. “The attackers use a method or tool to perpetuate their attacks, and companies respond by implementing new tools and processes to counter the attacks. Those companies feel confident in their ability to handle an incident because of their new resources, but the attackers have since changed tactics and tools thus making their victims vulnerable again.”
In summary, the data security challenge is real and growing for middle market companies. The sector has become a major target for data breaches, and organizations might lack the internal resources to understand and detect threats compared to larger counterparts. Companies must place an increased focus on data threats and consider new strategies to protect employee, customer and company data, and preserve confidence in the business and its reputation.
1 In the NetDiligence survey, a hacker is defined as a criminal who manually accesses internal networks and servers in order to access or steal company data or intellectual property.
2 “Gartner Says Many Organizations Falsely Equate IT Security Spending With Maturity,” Gartner, accessed April 17, 2018.