Although more than half of IT decision-makers at midsize companies think cybersecurity is a moderate to high priority for their group, the majority believe the larger organization has not prioritized IT security issues.
These were among the results of an UncommonX survey of 220 key IT-related professionals at midsize organizations across various industries.
The study also revealed 60% of midsize organizations suffered a ransomware attack in the past 18 months and 20% spent $250,000 or more to fully recover from it.
UncommonX’s CISO Patrick Hayes said given the overall responses, the most concerning finding was that 65% of organizations had not conducted a cybersecurity risk assessment.
“This is a fundamental step in understanding if the organization has the right alignment of risk, from business strategy to technology, in order to properly protect themselves,” he said. “Without current knowledge of what coverage an organization has, it is difficult to articulate what the business needs to invest in to reduce risk.”
An understanding the company’s current security state, he explained, can highlight for IT security workers where the organization has misaligned security program investments in areas that are not high-risk to the business while neglecting the real risks.
Midsize Growing Pains
Casey Ellis, founder and CTO at Bugcrowd, a crowdsourced cybersecurity platform, said midmarket cybersecurity challenges are analogous to the “awkward teenager” phase of growing up.
“There are issues and considerations that organizations are facing for the first time and figuring out on the fly, but they aren’t yet of the size and stage where the solutions an enterprise would deploy are a good fit,” he said.
On top of this, Ellis noted there are as many unique problems to solve as there are those which are “one size fits all” and telling the two apart can be tricky.
“I’d say the most glaring weaknesses in the midmarket exist around attack surface drift, patch management and deployment and application security—all of which are byproducts of poor visibility,” he said. “These are glaring to me because, unlike phishing and fraud, they often don’t require any user interaction to exploit.”
Ellis said instantiating a vulnerability disclosure program or private bug bounty program against the entire organization is an effective way to wrestle these risks back into line.
More than one-third of businesses surveyed indicated that the pandemic conditions have worsened their overall risk levels, and almost half cited work-from-home (WFH) as a key factor in increasing their risk.
Hayes added the pandemic has heightened overall risk levels for midsize organizations because many of them were left in a position to rethink how people work remotely.
“It isn’t as easy as connecting to a website or implementing a VPN for secure communication,” Hayes said. “Working remotely has impacts on network architecture, data classification and protection, as well as the impacts of employee behaviors outside of a traditional work setting.”
Kevin Dunne, president at Pathlock, a provider of unified access orchestration, said midsize organizations have been increasingly targeted by bad actors.
“They have the means to pay out the typical ransom requested by ransomware attackers, but they don’t have the resources to recover systems affected by ransomware,” he said. “Additionally, midsize organizations typically have adopted cloud solutions more completely, putting more sensitive data and critical business processes in the crosshairs of attackers.”
He noted that work-from-home has fueled the adoption of cloud software, pushing critical information into the public sphere where it is no longer protected by traditional network perimeters.
In addition, identity and access management is increasingly becoming the primary method of protecting sensitive data and critical business processes that live in cloud systems.
“However, traditional identity solutions are lacking in that they rely on outdated means of protection, including passwords or device identities which are easy to compromise via phishing or other means,” he said. “These new models of work require more robust and intelligent solutions to identity and access management which understand what a user is doing with their access to better determine risk and account compromise.”
From Hayes’ perspective, there’s no question the pandemic has changed the risk landscape for midsize organizations, pointing out it is an ideal time for many to assess their current state in light of the new needs of the business to ensure that risk is appropriately addressed.
“Organizations will need to think holistically regarding the human threat vector,” he said. “Cybersecurity training just isn’t enough in this new world of remote work, especially for companies that were never prepared for it.”
Ensuring that staff have knowledge of their potential to unleash an attack on their company is only the beginning; the distractions inherent to a non-traditional work environment are a social engineer’s dream opportunity.
“With this knowledge, it is important that we also look at the right tools for email security, for endpoint detection and malware,” he said. “We also need to increase our monitoring capabilities for when these attacks evade our detection.”
Hayes said vulnerability management has become even more important to the business, as these weak points are what attackers will look to exploit as the next stage of attack escalation.
He predicted most midsize companies would continue to be more focused on technology and tools rather than a programmatic approach to risk: As stated in the survey results, only 35% of organizations plan to conduct an assessment on their security program.
Hayes said without the knowledge of how an organization’s security program can support the needs of the business, many companies will fail to prevent attacks and will be left scrambling when the time comes to respond – when it may be too late.
Certain gaps can be prioritized for investment and the business can then be an active participant in the decision to accept risk, build in-house capabilities or leverage the value from outsourcing to a security partner.
“A plan based on the current and realistic view of an organization’s security program can provide the necessary visibility to gaps that need to be addressed,” he said.