Cyberthreats continue to loom over companies and organizations. Snatching private data is big business for criminal elements that use it for ransomware schemes or sell it on the black market.
Technology, media and telecommunication (TMT) businesses are especially enticing to cyberattackers given their large collections of consumer and enterprise data and their treasure trove of intellectual property (IP) information. In addition, most middle market TMT companies find it challenging to address threats given their strained infrastructures that often inadequately protect their prized data assets. Because of this, it becomes critical for businesses to focus on risk and make investments in cybersecurity resources.
Unfortunately, many TMT companies have trouble finding resources that can fill all roles needed to sustain an entire cybersecurity program. Most organizations are already behind on capital expense cybersecurity spending. As a result, there can be a gap between what a business is spending on cybersecurity and what it should be spending; a realignment of the overall budget is often necessary.
According to the RSM US Middle Market Business Index (MMBI) 2021 Cybersecurity Special Report, 28% of middle market executives indicated that their companies experienced a data breach in the last year, up from 18% in 2020. Additionally, 64% of respondents anticipate that unauthorized users will attempt to access their company’s data or systems in 2021. While large TMT companies such as SolarWinds, Yahoo and Equifax might get the attention and cyberattack headlines, middle market businesses are feeling the cyberthreat target on their backs as well.
In addition to combatting the increasing number of cyberthreats, businesses, including TMT companies, are also challenged with addressing a surge of regulatory compliance as a growing number of countries and states are beginning to enact cybersecurity legislation to improve data protection. For instance, many businesses are required to comply with the European Union’s General Data Protection Regulation (GDPR) as well as U.S. legislation like the California Consumer Privacy Act (CCPA). Historically, many companies have been slow to develop compliancy processes. According to RSM’s cybersecurity report, “55% of executives are familiar with the requirements of the GDPR, another significant jump from last year’s data (39%).”
What should TMT businesses do?
To address the increasing cyberthreat environment, it’s important for TMT companies to adopt a variety of measures to fortify the digital perimeter of their businesses while also strengthening internal processes and systems. While cyberthreat resources might be strapped, there are a variety of basic blocking and tackling efforts that can strengthen data security. Note the following five tips:
1. Assess your data
Three questions: Where’s your data? Who has access to it? What protections do you have in place? Identifying your key data sets and establishing the location of this information is critical to protecting your information security. It seems fundamental, but given the quick growth of TMT companies, added acquisitions, and new employees and accounts, data placement can get murky and access to this key information gets unwieldy. Assess your data, determining type and location, and have a rigorous policy in place regarding access, and then monitor that access. You should have systems and policies in place to address overall risks.
2. Consider cyber insurance
To combat cybercrime repercussions, cyber insurance has become an effective solution. RSM’s cybersecurity report found that 65% of middle market organizations carry a cyber insurance policy to mitigate risk. However, while the usage of cyber insurance is gaining momentum, some executives do not have a full understanding of their coverage. In fact, the survey found that 35% of the companies that carry policies are somewhat familiar or not at all familiar with their coverage levels. Companies must understand their policies to ensure exposures are addressed. Periodic evaluation of the insurance policy is also needed to account for evolving risks.
3. Train your people
When we work with clients on their cybersecurity vulnerability, we frequently conduct penetration testing, which includes social engineering, to understand where immediate exposures might occur. When we do this, the majority of the time we uncover weak passwords that are easy to crack. We also find that social engineering efforts can be effective at tricking users into clicking on links. Much of this careless user behavior can be addressed via improved user training and oversight where unacceptable practices are challenged and appropriate behaviors are incentivized.
4. Move to the cloud
As TMT companies grow, they can lose control of their data and fail to understand how much information they have and where it resides. In response, businesses can move their data to the cloud for increased efficiency and access, but also greater security. Cloud vendors’ economy of scale enables them to implement more extensive security measures and controls that are not typically realistic for some middle market companies. Forty percent of respondents to RSM’s cybersecurity survey detailed moving or migrating data to the cloud for security concerns in the past year, a 2% reduction from the previous year’s data.
Before moving to a cloud platform, though, it’s important to have a good understanding of the type of data being stored and accessed. This will help determine the level of security needed by the cloud provider. Keep in mind, as your company moves to the cloud, controls that were previously required to protect environments will not be as effective. It’s critical to develop a cloud security architecture that segments the infrastructure to limit the impact if a breach occurs and also places restrictions on who has access to particular segments. This helps control possible entry points by unwanted intruders.
5. Plan to respond
When a breach occurs, it’s not a good time to blow the dust off your neglected, outdated incident response plan (IRP) and attempt to figure out what to do next. The IRP should be a living, evolving strategy and your plan rehearsal should be conducted every six months, if possible. Roles and responsibilities should be concisely spelled out, and action steps must be comprehensive. Evaluate the process and revise the plan as needed.