Think only big companies get hacked? Wrong

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.cnbc.com/id/102586700

Once a month, it seems, we hear about a high-impact breach of a corporate
computer system. The latest is Premera Blue Cross, and before that Anthem,
Sony, Target, Home Depot: These are big companies, and many would assume
they were relatively bulletproof. Yet they couldn't keep the hackers at bay.

Imagine the risks businesses in the middle market face. Not only are they
potentially under-invested in cybersecurity, they may not be even aware of
the seriousness of the threat.

Why? Many midmarket leaders believe it is a problem only for large,
high-profile corporations or those that conduct mainly financial
transactions. Or those executives are naïve; they think a serious breach
never will happen to their system. When in fact, these things are happening
all the time. No one talks about it, because they would rather keep it
quiet.

Unfortunately, cybersecurity isn't just for banks and behemoths. It's for
all businesses, all sizes.

In fact, small and middle-market companies may be more vulnerable to attack
because criminals know these businesses do not take substantial
preventative measures.

Companies with 250 or fewer employees accounted for 31 percent of
cyber-attacks last year.

Midmarket businesses moving to the cloud may be susceptible to
cyber-threats, too. Their data used to be contained on their premises, with
links to that data from on-site, wired computers. Today, all of the
information is "out there" someplace accessible from the Internet by
potentially anyone. While many cloud services providers have the ability to
provide better security than the average mid-sized business, the problem
comes when those businesses skip the due diligence, such as reviewing SOC
reports and other independent third-party security certifications.

Ubiquitous mobile systems and wi-fi also place companies at unusually high
risk.

One increasingly common threat is ransom-ware, which can shut down a
company's entire computer system and block access unless a ransom is paid.

More ominous, hackers probably have infiltrated many many middle-market
companies already, and the malware rests undetected in a network and
incrementally collects data that shows how to access other systems or steal
proprietary product information.

Part of the problem, especially with smaller midmarket companies, is that a
controller likely set up the IT department, and no data security specialist
has been appointed. Or that specialist wears too many hats and can't keep
up with the latest malicious code and software patches.

Executives also may be strictly reactive; they believe cyber-criminals
can't be stopped, so the focus of their security systems is on damage
control instead of prevention.

System entry points in the middle market – generally companies with revenue
of $40 million to $400 million – often come from the same places as in
larger and smaller companies: passwords that are easy to guess, lost
laptops, vendor access, uninstalled security updates and patches, as well
as employees accessing social networking sites, such as Facebook and
LinkedIn, on company computers.

Some of the more esoteric breach points: videoconferencing, networked
printers, even thermostats; One leading retailer's attacker gained access
to the company through its heating and cooling system vendor. Hackers even
once invaded an oil company via an online menu at a nearby Chinese
restaurant.

Cyber-crooks nowadays are also more successful with bogus e-mail
attachments. It's not just the foreign prince asking for your assistance in
the e-mail's subject field anymore. Sometimes, the infected e-mail can come
from a trusted contact, a vendor or supplier.

The potential ramifications at middle-market companies are the same as at
larger ones: the possibility of fines or lawsuits, the expense of notifying
victimized individuals, the specter of further damage, the time spent on
credit monitoring and reputational repair.

Moreover, when cyber-criminals obtain data from one company, it often leads
to easier access into other corporations, as well as individuals' records.

The average cost of a data breach was $5.9 million for all U.S. companies,
according to a 2014 study. The most common causes were malicious or
criminal attacks (44 percent), followed by employee negligence (31 percent)
and system glitches (25 percent).

The intent of the breach is usually information theft leading to financial
gain, rather than so-called hacktivism, which appears to be the case in the
attack on Sony's network.

What can midmarket companies do? Consider partnering with a trusted firm to
provide relevant advice related to your cybersecurity infrastructure,
including technical testing; think twice before obtaining cyber-insurance —
it often doesn't cover much; realize cybersecurity is a business issue,
which should be considered as part of the your firm's overall strategy;
monitor networks for unusually high traffic volume; work with your
financial institution to implement multi-factor authentication and dual
controls for financial transactions; strengthen administrative passwords
and, generally, don't rely on system users — customers or employees — for
protection.

The public may not hear much about hacking into midmarket because these
businesses in the sector get less attention from the media. The companies
may also be shy about publicizing security breaches unless circumstances
force them to go public.

Keep in mind, however, that middle-market companies are the fastest growing
sector of the U.S. economy and, along with small business, the leading job
creator.

True middle-market story: A company, which shall not be named, not long ago
asked its 280 employees to try to hack into senior management's e-mail to
test their security. After a month, 240 were successful. Therein lies a sad
lesson about the state of cybersecurity today.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!