United States

Security mavericks to middle market directors: Become a harder target


Download article

Imagine you’ve spread your prized possessions out on your dining room table. If a burglar manages to make her way past locked doors and windows, she could plunder those items in min­utes and disappear back out into the night. You’ve made her job easy with one layer of defense, no alarm systems, and valuables left in plain sight. However, imagine you put those same possessions in a safe bolted to the floor in your bedroom closet. If the burglar gets past your basic external defenses (which are more trivial than you’d like to think), she is now standing in the dark in an unfamiliar place, trying to hunt for the goods while remaining undetected. Odds are she’ll step on that squeaky floor­ board, kick the cat, or otherwise alert you to her presence. If she does find the safe, she’ll struggle to crack the combination, and might even give up trying before being caught.

While comparing a cyber­-breach to a burglary may seem like a stretch to some, RSM US LLP’s Daimon Geopfert, national leader of the firm’s security and privacy consulting practice, says it’s an apt metaphor for what a breach looks like at some middle- market companies. Geopfert noted in a recent roundtable dis­cussion with directors that people have an inherent understanding of how to protect physical prop­erty, but often abandon the same concepts when it comes to secur­ing digital goods. This has led to skyrocketing rates of data breaches within the middle-market, which happens to comprise of the major­ity of American businesses.

Market-Specific Risks

Middle­-market companies often partner with third-­party vendors to extend their growth, a move that compounds risks. Both infor­mation technology staff and the general counsel’s office must track the vendor’s compliance with their own security expecta­tions, which can lead to vulnera­bilities. In order to mitigate these risks, companies must insist on contracting certain protections that would harden the security stance of their enterprise.

Directors and management should remember that, while moving to the cloud can enable growth, the softening of secu­rity that can occur when work­ing with third parties can lead to chaos when breaches occur. Directors have the opportunity to pressure test their security to verify if these steps have been taken. “When you ask companies simple questions to verify the protections in place in their systems, their staff oftentimes pause and say, ‘You know, we’ve never veri­fied X, and we’re not sure about why we haven’t,” said Craig Hoffman, a partner at law firm Baker & Hostetler, describing his experience as a forensic investiga­tor in breaches of mid­cap com­panies. Companies might say they segment their data, which is a common data security best practice, but third parties may not have been called in to independently verify that the segmenta­tion was properly performed, he explained. This lack of assurance creates vulnerabilities that could make or break a company in the event of a breach.

One director noted that boards of mid-­cap companies can miti­gate the risk of a cyberattack by insisting that the company define its risk appetite and ensure that the processes to protect important assets are well documented.

“A lot of businesses think they understand their business pro­cesses, but they really don’t,” the director said. “They don’t docu­ment processes, and they rely on prior knowledge. If you can have the self­-discipline to document the business process, then you’ll have the ability to say, ‘How will we definitively know as a board whether or not we lost data based on this diagram?’”

Due to budget constraints, many mid­market companies may choose to invest in a lower tier of service when purchasing certain security and information technology. With limited cost comes limited coverage, how­ever. Returning to Geopfert’s metaphor, you would not want to secure your prized possessions in a subpar safe. The same goes for your company’s digital assets. Consider, for instance, the importance of reviewing logs once a breach has occurred. In order to save money, Hoffman pointed out that companies might choose server packages that do not include log mainte­ nance beyond 30 days of cover­ age. He urged directors to ask their legal teams if contracts have been carefully reviewed to under­ stand the extent of coverage pro­ vided. Doing so can help them weigh their coverage against their accepted risk tolerance.

Play to Strengths

The limited size of middle­-market companies means less surface area to protect—and fewer people to train on security. While the overall target area is larger due to the sheer number of mid­-cap companies, individual companies may real­ize some size­based advantages. “You can’t hide on the Internet,” Geopfert said. “Hackers quite often aren’t looking for anything specific, and because there are so many smaller companies out there, the statistics say they’re more vulnerable.”

That said, the experts were keen to point out that a smaller footprint means greater speed to strengthening security—and greater opportunity for employees to alert one another when some­ thing looks fishy.

When one director asked what organizations that are smaller and have fewer resources can do to secure their enterprises, Geopfert offered words of reassurance.

“The second you are small enough to convince yourself that you don’t matter, you’re the key demographic,” he said “However, we have worked with some companies that have turned themselves into exceptionally hard targets in short order because their organizations are that much simpler. The Targets and Equifaxes of the world are that much harder to get their arms around.”

Directors of middle-­market companies should remind man­agement that their organization is indeed a visible target, and that one job of management is to make it harder for cyber thieves to gain entry.

“You can’t hide your assets any more than you can hide your house,” Geopfert said. “That said, you know where your important things are. Do what you can to lock them down.” 

Article originally appeared in NACD's Directorship magazine September/October 2018 issue.

How can we help you?

To discuss how our team can help your business, contact us by phone 800.274.3978 or