Mid-Level Hit, Massive Impact
In early February, the largest Canadian online book and music retailer, Indigo, was under attack for several days. The attacks affected customer orders in both retail locations and online. The company was unable to process electronic payments, gift card transactions, or returns during this time. Recently, Indigo representatives provided an update about the ransomware attack and revealed that sensitive past and existing employee data was accessed during the incident.
Attacks against a mid-tier retail operation like Indigo raise important questions. They make you wonder about Indigo – or any business’ – ability to survive. Big companies can metaphorically shrug attacks like this off. They have high cost redundancy, cutting-edge recovery tools, and costly emergency assistance from cyber disaster specialists at their disposal. They also have the deep pockets to pay their way out. Companies such as Amazon, Apple, Sony, Target, or Disney, for example, have strong brands that allow them to recover from compromises in ways that smaller, less recognizable companies simply cannot. Data shows that 60% of small to mid-size companies that suffer a successful cyberattack will not be around in 6 months.
Existential Challenges
For mid-market companies there is no safety net. Cyber-insurance is costly and difficult to obtain, and when the rubber hits the road policies only pay a part of qualified expenses. In a cyber crisis, you still need emergency cash to cover expenses to get back to operational stasis. Thus, there is a massive resiliency distinction between big companies and every company in the mid-market or smaller range.
One of the main reasons cybersecurity incidents can be more dangerous for small and mid-size companies is that they often lack the resources to respond to incidents effectively. These companies may not have an IT team dedicated to cybersecurity, or may not have committed financial resources to hiring outside experts to help prevent and address incidents. This can result in a slower response time and increased risk of further damage to the company’s systems and data.
Too Much to Tackle Alone
When it comes to cyber threats, there are multitudes of challenges afoot for IT operations to take on.
- Ransomware: Ransomware is on the rise. This plague is getting easier and easier for nefarious actors to use.
- Protecting Valuable Assets: One of the most significant reasons why CEOs, boards, and investors should care about cybersecurity is that it helps protect valuable assets. Digital assets are just as valuable, if not moreso, than physical assets. A successful cyberattack can result in the loss of valuable data, leading to financial losses, reputational damage, and legal liabilities.
- Compliance and Regulatory Requirements: Governments and regulatory bodies have implemented strict cybersecurity regulations to protect consumers and businesses. Failure to comply with these regulations can result in significant fines and penalties, plus damage to a company’s reputation.
- Reputational Damage: A successful cyberattack can also result in near-instantaneous reputational damage, which can have a significant impact on a company’s bottom line. A data breach or attack can erode customer trust, leading to lost business and revenue.
- Investor Confidence: Mid-size companies often have investors, who possess a vested interest in a company’s cybersecurity posture. A cyber-driven drop in a company’s stock price can lead to a loss in shareholder value. Additionally, investors are increasingly looking at cybersecurity as a key factor when making investment decisions. When risk is high, investment money will go elsewhere.
- Protecting Employees and Clients: Cyberattacks can result in the loss of sensitive data such as dates of birth, social security numbers, and financial information.
Finding Better IT Strategies
IT departments have a big job to do. Executives of mid-market companies must realize that cybersecurity protections should not be single sourced to the in-house IT department. Those same IT departments may resist, unable to drive outside security sourcing because of the sense of loss. Despite this, security outsourcing has been proven leverage that helps companies operate with greater efficiency, reliability, and improved security. The motive to change cybersecurity operations to include outside organizations requires executive will and directive from the top.
Cybersecurity is Survival
Cybersecurity should be a main critical concern for businesses of all sizes, but with its potentially-devastating impact to mid-size companies, cybersecurity is a matter of survival. It can turn a promising asset into a massive liability for the C-Suite, boards, PE firms, investors, and lenders.
CEOs, boards, and investors alike should care about cybersecurity. It is of immense importance, as it protects valuable assets, helps companies comply with regulatory requirements, prevents reputational damage, instills investor confidence, and protects sensitive data. As cyber threats continue to evolve and become more sophisticated, it’s crucial for businesses to make cybersecurity a regular board-level topic, and for the C-suite to drive investment in robust cybersecurity services.
This article was originally published in Forbes, please follow me on LinkedIn.