Mid-size insurance and finance companies face the same cybersecurity threats as industry incumbents, but most of them have failed to sufficiently prepare to fight those threats.
Because many of these companies falsely presume their current cyber strategy is good enough, according to Arctic Wolf Networks, the Silicon Valley-based cybersecurity provider. Company representatives elaborated on this and other insights during a recent webcast titled, "Cyberattacks: Why mid-size companies believe they’re safe — but aren't."
The discussion was largely rooted in the results of a survey that Arctic Wolf conducted earlier this year. Roughly 200 IT executives were interviewed during the course of researching "The State of Mid-Market Cybersecurity: Findings and Implications," which was produced in conjunction with Vanson Bourne.
The majority of survey respondents reported that their cybersecurity strategy is "good or great," and that the products and tools they currently use to combat cyber threats are sufficient. At the same time, many of those same respondents conceded that a cyber breach has the potential to wreck their businesses in a matter of minutes, and that their companies lacked a dedicated team or individual whose sole focus is to protect the business against cyber predators.
"Most mid-market enterprises believe they are safe because they have the traditional perimeter defenses in place," Brian NeSmith, CEO of Arctic Wolf Networks, said in a press release about the 'Mid-Market' survey. "This falls far short of what’s needed for rigorous security in today’s complex threat environment. The challenge smaller enterprises face is that they have all the same security issues as large enterprises with only a fraction of the budget and less specialized personnel."
The company dubbed the widespread disconnect between how well mid-size companies believe they are protected from cyber threats, versus how well they are actually protected, "cybersecurity dissonance."
Here are five major reasons that mid-size companies are lacking when it comes to cybersecurity, and why many of them were sweating in the face of the recent WannaCry ransomware outbreak, based on the survey findings from Arctic Wolf and Vanson Bourne.
Without personnel dedicated to cybersecurity, it may be impossible for companies to execute 24/7 system monitoring and response. (Photo: iStock)
No. 5: Many mid-size companies lack a dedicated Security Operations Center (SOC)
Although the Artic Wolf survey came out in January, the company found itself discussing its findings anew in the wake of the far-reaching WannaCry virus. During Artic Wolf’s recent cybersecurity webcast, Sridhar Karnam, the company's director of product marketing, mirrored the feeling of many in the cybersecurity industry: WannaCry was impressive more for its reach than its impact.
Karnam also highlighted these pertinent results from his company's Mid-Market Cybersecurity survey:
— Roughly three out of four respondents report that their role covers so many different IT areas that it is difficult to focus on cybersecurity.
— Half of the survey respondents said that the subject of cybersecurity is so complex that they don’t know where to start to improve their company’s security strategy.
It follows that Arctic Wolf, which specializes in providing other companies with a Security Operations Center, or SOC, believes that having a dedicated SOC is the first, best way to protect against cyber threats.
"To avoid the conflict of interest between IT operations and security operations," Karnam said, "I highly, highly recommend a SOC that is outside the IT area."
IT professionals and cybersecurity professionals tend to have distinct training, expertise and service sensitivities, Karnam added. Yes, cybersecurity pros are expensive, and sometimes hard to hire. But that’s because they represent a powerful protection step that in most cases will result in the 24/7 cybersecurity monitoring and response that’s become essential to warding off cyber threats.
Insurance and financial services are two sectors known for having cybersecurity gaps. (Photo: iStock)
No. 4: Insufficient companywide cyber training
Karnam echoed another common observation about cybersecurity: The biggest weakness tends to be human error.
Respondants to the Mid-Market Cybersecurity survey were asked to rank what they believed were the top cybersecurity threats looming on the horizon.
Here is the list of threats revealed by this question, along with how many respondents believed that particular area to be a top concern:
— Viruses: 67%
— Malware: 63%
— Professional cybercriminals: 63%
— Data theft: 54%
— Phishing: 51%
— Competitive espionage: 41%
— State-sponsored cyber attacks: 31%
— Zero day threats: 31%
— User error: 30%
— Ransomware: 29%
— Joyride hacker: 23%
— Insider threats: 20%
Notable among these pre-WannaCry survey responses is the fact that both "user error" and "ransomware" were deemed lesser threats in the overall cybersecurity spectrum. Nonetheless, this latest ransomware outbreak infected more than 230,000 computers in over 150 countries including parts of Britain's National Health Service, Spain's Telefónica, FedEx and Deutsche Bahn, according to BBC News.
The incident revealed vulnerabilities about which agencies such as the U.S. National Security Agency (NSA) was already aware, and many of those vulnerabilities could be traced back to human error.
For what it’s worth, Arctic Wolf’s Sridhar Karnam advised against paying a ransom should your company ever face a similar virus.
"Do not pay!" he said. "There is no guarantee that they will give you an inscription card… The best way to fight ransomware is to either prevent it, or to have a backup" network.
A SOC may cost an average of $1.4 million, according to the Arctic Wolf survey. (Photo: iStock)
No. 3: Resource allocation challenges
Arctic Wolf’s Mid-market Security survey found that 51% of the IT professionals surveyed said they would like their organization to assign more budget and/or resources to cybersecurity.
What’s more, every single survey respondent (100% of them) said that in order to better protect their company against cyber threats, they would need to step up efforts in at least one of the following areas:
— Privilege access monitoring.
— Insider threat and user monitoring.
— Incident response management.
— Vulnerability management.
— VPN and remote access monitoring.
— Log analysis.
— Cloud security.
— Application security and DevOps.
— Zero day threat detection.
— Advanced persistent threat detection.
— Web security.
— Network security.
— Threat intelligence.
— User security training.
The fact is, IT departments in most small and mid-size companies are simply stretched too thin to adequately address security needs.
There are pros and cons to either building or buying a SOC. But given how essential a SOC can be to protecting a company's future, the question has now become: Can small and mid-size companies really afford to ignore or shove off their cybersecurity?
More than 9 in 10 (95%) respondents to Arctic Wolf Network's survey, “The State of Mid-Market Cybersecurity: Findings and Implications,” said their organization’s security posture is above average. But half also conceded that they would like their organization to assign more budget and/or resources to IT security. (Photo: iStock)
No. 2: 'Set it and forget it' mentality
In order to meet the growing demands of cybersecurity, many small and mid-size companies are looking to outside vendors, which is fine. But the problem, according to the Arctic Wolf research, is that these businesses tend to think of their security strategy as set once they’ve enlisted a certain product or service. That means their threat monitoring may not be constant or consistent, and security corrections may not happen as quickly as they need to in the current cyber environment.
Related: Keep employee data safe
"Every time there is a new security problem," Karnam said, many small and mid-size companies "just throw a new product at the problem."
No. 1: Overconfidence
Karnam and his colleagues at Arctic Wolf concluded that 'cybersecurity dissonance,' or the belief that one's business is more protected from cybersecurity threats than it actually is, may ultimately be an offshoot of overconfidence.
"It's important to understand what the perception is, versus what the reality is," he said. "The mid-market professionals we surveyed feel very confident. Despite those positive self-assessments, a closer look at security operations and processes in those mid-market companies, we found that professionals are struggling to defend against a lot of malicious activity that has become highly sophisticated and more targeted."
The following infographic was prepared by Arctic Wolf to illustrate the idea of 'cybersecurity dissonance,' as it applies to mid-size companies in all verticals, including insurance and finance.