Facts About Data Breaches and the Mid-Market
Budget Conscious Solutions for Protecting Mid-Market Companies
One size does not fit all when it comes to defending companies against data breaches. The threat of cyber crime and the consequences of data breaches may appear to be equally problematic for companies of any size and composition. However, the reality is, not only is the threat clearer and more present for the mid-market (companies with between 100 and 2000 employees), but the consequences are more dire. Most importantly, methods for successfully mitigating the threat of a data breach at the mid-market level are not largely the same as those used by enterprise companies. Those responsible for Info-sec at mid-market companies must be aware of the differences if they’re to mount defenses effective at minimizing the risk in a practical and cost-effective manner.
Read on to gain understanding of the dynamics and challenges facing mid market companies with respect to data privacy and information security. Learn more about cost effective solutions and proven methodologies specifically focused on combating the threat of data breaches for the mid market. Let’s begin with some uncomfortable facts.
FACT: Studies from highly respected Aberdeen Strategy & Research reveal the risk of a data breach is 63% higher for companies with fewer than 1000 employees than it is for larger ones.
[Link – registration required]
A common misconception is the assumption that cyber criminals favor infiltrating a Fortune 500 or other large enterprise company. Many assume targeting a larger company will yield larger payoffs for criminals who succeed in breaching the data of a “whale” sized organization. The reality is middle market business organizations are the favorite target of cyber criminals, not the largest ones. Unlike their larger and enterprise level counterparts, mid-sized companies are low-hanging fruit for criminals.
The average mid-market firm cannot match the cost and volume of efforts mounted by larger organizations to combat the problem. Larger companies have deeper pockets and routinely invest larger portions of their budgets in preventing cyber crime. Mid-market firms must do more with less. Sadly, many mid market firms embrace the comforting falsehood that their organizations are safe from attack because the cyber criminals are more attracted to large targets.
FACT: Data breaches are more costly (in relative terms) to the mid-market company than large enterprises.
Forbes published a study revealing the costs and consequences of the average data breach for companies of all sizes. Their report writes, “For a small or medium-sized business (SMB), the average cost of a breach is $108,000. Meanwhile, the cost for enterprises (businesses with more than 1000 employees) has risen to $1.41 million, up from $1.23 million the previous year. The financial damage will vary significantly depending on the size of the company and the nature of the breach.”
Reflected as a portion of the overall capitalization levels of a small business versus a big one, the $108,000 represents a larger fraction. For a $1million a year company, $100,000 is ten percent of its annual revenue. For a $10 million company, $100,000 is only one percent.
FACT: The US Chamber of Commerce reports 73 percent of middle market companies expect to experience a cyber-attack.
In a recent news release, the US Chamber of Commerce shared some unsettling data from the US Middle Market Business Index (MMBI) Special Report on Cybersecurity. Of the 400 senior executives polled from mid-market companies:
- 22% reported their company data had been breached in the last year.
- 23% disclosed a ransomware attack or demand in the past year.
- 72% expect unauthorized users will try to access data systems in the coming year – a sharp rise from 64% in last year’s report, and the highest number since this data has been first recorded in 2015.
- 45% said that outside parties attempted to manipulate employees by pretending to be trusted third parties or company executives.
- 73% anticipate an attack based on the manipulation of their employees within the next 12 months – the highest number ever recorded by the MMBI!
And though breaches impacting the mid-market experienced a modest downward trend in frequency between 2020 and 2023 according to the MMBI report, mid-market companies will never get the numbers down to a tolerable level until they embrace external data privacy management. More on the cost effective, external data privacy management methodology later in this paper.
FACT: Middle Market Companies have their hands full with so many unprecedented challenges, there is often insufficient resources to properly address this threat.
The middle market represents most of the economic activity in the US. So, it is not surprising that the middle market was the most deeply impacted by the effects of the global COVID-19 pandemic. As the pandemic recedes worldwide and the economic engine roars back to life, the most persistent challenges on the minds of executive leaders are those residual effects most visibly tied to the COVID experience – staffing shortages and supply chain disruptions.
Accountancy and tax advisory firm UHY released its 2023 Middle Market Survey Trends Report which polled more than 250 executives across the public and private middle market sector. The report illustrates the array of concerns weighing on the minds of leaders. Although nearly 3 in 4 businesses polled (72%) said they’ve resumed operating at pre-pandemic performance levels, the leading concern among the leaders polled was a slowdown in growth.
Second most popular concern in the UHY report was the 45% of leaders revealing full or even partial compliance with ESG (environmental, social and governance) requirements.
At 36% was the pressing issue of turnover and workforce sourcing challenges. The ongoing labor shortage and historically low unemployment figures make finding and retaining talent a challenge. (This is another area in which external data privacy management can help reduce turnover by reducing employee poaching and churn. Read our White Paper on this subject here.)
Digital transformation was the fourth most mentioned challenge in the UHY report.
Wolters Kluwer, a global provider of professional information, software solutions, and services for clinicians, nurses, accountants, lawyers, and tax, finance, audit, risk, compliance, and regulatory sectors offered a very similar outlook regarding the trends for mid-market business in 2023. In this “expert insights” article, they point to faltering growth, ESG, talent/labor shortage and digitization as key areas of focus. They did however touch on personal data and digital asset law changes as important challenges under the heading of a “Changing Statutory and Regulatory Landscape”.
In its 26th Annual Global CEO Survey, PriceWaterhouseCoopers (PwC) reveals a more balanced outlook. With 4,410 CEOs surveyed, profitability and fear of slowing growth was still the primary concern. Costs/inflation, supply chain and staffing make the familiar list. However, cyber risks were notably included in the CEOs’ threat assessments – somewhere in the middle of the pack of worries. 20% said they were subject to cyber risk within the next 12 months and 25% said they feared exposure to cyber threats within the next five years.
This and other available research confirm that while mid-market leadership is aware of the cyber threat, it is only one concern among numerous others. And it is clearly not at the top of the wall of worry.
FACT: The current solutions and efforts used by mid-market organizations to mitigate data breach risks fail to address one of the top drivers of cyber crime and data breach incidents.
With so many competing challenges facing the mid-market companies of today, there is great competition in the budgeting process and a finite amount of capital companies can allocate to any individual area. When it comes to addressing the threat of data breaches and other cyber crimes, most mid-market organizations tend to embrace the same handful of solutions.
Common Solutions to Prevent Data Breaches in Mid-Market Companies
Industry media is replete with articles offering best practices for SMBs to protect their data from being breached. Those listed below are the ones most frequently recommended. All these strategies, especially if deployed together as part of a broader campaign, are effective to some degree. However, none of them addresses the leading root cause of data breaches. First, examine the popular solutions employed by SMBs below. Then read on for the most efficient, cost-effective solution the mid-market should embrace to mitigate data breach threats.
Moving Information Systems into the Cloud
A company could invest significant capital into upgrading secure servers and implementing powerful encryption protocols. But this is costly and requires ongoing staffing costs to maintain these systems on their own physical location. Instead, many mid-sized firms have found it more cost effective to move their data storage and other information systems into cloud hosting arrangements. Hosts like Amazon Web Services and other top-tier cloud offerings are able to provide – for a modest monthly subscription cost – state of the art security and redundancy which mid-market organizations could never afford on their own.
Carrying Cyber Insurance
As another example, many companies now carry cyber insurance policies that cover some of the losses that occur when a company’s data is breached. There is even specialized “data breach insurance” coverage. This strategy is one that helps clean up after a data breach has inflicted harm on the organization or its customers. Moreover, while it may help absorb the costs of lawsuits and judgments that may be rendered against the company, it does little to mitigate the long-term damage to reputation that many companies suffer with after being victimized by data breaches and other cyber threats.
Staff Training and Education
This is another example of a relatively low-cost solution to help harden defenses against cyber crime among mid-market companies. From a cost perspective, whether these trainings are delivered by internal HR resources or third-party training programs, the cost is not prohibitive. And these programs are intended to be just one prong of a multi-pronged strategy. The problem with the training strategy is that it is only as effective if the intended audience – the employees – practice the strategies they learn in these classes.
Preparing for GDPR-style Legislation/Regulation
Some organizations’ legal departments are preparing their operations to adopt new privacy legislation and regulations percolating through the halls of Congress and statehouses at the state level. This strategy is vulnerable to inconsistent application of regulations across the US. Moreover, simply preparing for the release of new regulations does not provide any concrete or actionable methodologies an organization can follow to ensure compliance with imminent regulations will translate to effective protection from criminal activity.
Add to this, the fact that many mid-sized companies in the US do business overseas in an increasingly integrated global economy. So, privacy risks and data breaches extend beyond the domestic arena. Even in countries abroad like the UK which has enjoyed a national standard for privacy through its GDPR regulation, in 2021 more middle market leaders in the U.K. reported a data breach than in the U.S. (34% compared to 22%).
The Most Effective, Affordable Solution to Preventing Data Breaches for the Mid-Market
Focus on External Data Privacy (EDP) Management
At Privacy Bee, “external data” is defined as all Personally Identifiable Information, or PII, on every member of an organization’s workforce that is – whether knowingly or unwittingly – accessible or available outside of the employee’s or the organization’s security perimeter. From C-level executives to mid-level management to the rank-and-file of the labor pool – even for external contractors like freelancers and 1099 independent contractors – any PII related to the workforce and even their immediate families available via People Search Sites, Data Broker sites, Paste Site, public directories, or any other public-facing site is considered external data. Additionally, external data also includes the PII of every employee or agent within each vendor with whom your organization does business.
The four common solutions listed above are not able to protect an organization if its workforce and all their respective external data is not secure and readily available on People Search Sites, Data Broker sites, Paste Site, public directories, etc.
Cloud migration doesn’t prevent spear phishing and other social engineering attacks. In fact, cyber criminals routinely trick employees into revealing their passwords and credentials to secure networks. Even if these networks are securely hosted in beefed up, cloud facilities.
Cyber insurance does absolutely nothing to protect a mid-market business from becoming a victim of a data breach, ransomware attack, DDoS or any other malicious crime. It is not a preventative strategy at all. Sure, it helps cover the costs of a data breach and subsequent litigation after the fact. And it will also grow more costly as premiums tend to rise after claims are submitted. Wouldn’t it be better to avoid breaches in the first place?
Staff trainings are useful, but they do little to slow or even prevent the onslaught of attacks made on mid-sized companies. If an organization still allows their employees PII to be readily available for exploitation by criminals, then they’d better hope the trainings are being well-received. Even after a firm removes the vast majority of employee and vendor PII from the internet, staff trainings and education are still important to help keep the workforce knowledgeable and vigilant about online threats.
Preparing for new legislation and regulations is an important step for mid-market companies. Yet, the preparation has to move beyond the drafting of internal policies and corporate governance documents. To really be compliant with emerging regulations, mid market firms must embrace proactive and proven effective strategies for removing their workforce external data from public access on the internet.
Privacy Bee offers low-cost tools and services to mid-market firms to improve external data privacy and the exposed PII which enables more than 60% of data breaches. Reducing risk this way delivers increased competitive advantage (especially in terms of cost savings) by mitigating data breaches.
EDP solutions like Privacy Bee monitor and eliminate employee PII from external sources significantly reducing an organization’s digital footprint and thus their risk of being breached. Moreover, these efforts help to maintain customer trust and loyalty.
EDP solutions like Privacy Bee provide organizations a competitive advantage, helping them comply with the emerging data privacy regulations being drafted at the federal and state levels. Privacy Bee scans, removes, and monitors employee PII from external sources, organizations. Doing so helps avoid not only breaches themselves, but costly noncompliance penalties. Moreover, an EDP solution, by mitigating data breach risk, also deters the lawsuits and other judicial actions that often result.
Showing commitment to data privacy by investing in EDP is a true competitive advantage that can help protect its reputation and financial well-being. Best of all, the cost of the Privacy Bee solution relative to the cost of cybersecurity at the enterprise level, enables mid-market firms to deploy protections against breaches and all other cyber attacks as powerful and effective as their enterprise level counterparts.
