On a warm Ohio morning in August, a Ukrainian hacker threw a middle market health care group into complete disarray. It was random and it was swift.
The hacker, known as @PravSector, posted 156 GB of patient data from The Central Ohio Urology Group. COUG claimed the breach impacted 300,000 patients. The leak included full names, diagnoses, telephone numbers, insurance account numbers and postal addresses, all posted in plain text on Google Drive, according to DataBreaches.net.
In claiming responsibility for the breach, @PravSector told DataBreaches.net the leak was politically motivated, a warning so that “no one thought to poison our people with the virus from secret laboratories.” COUG was not involved with any poisonings or secret laboratories, but the hacker wanted to bring attention to supposed “secret trials of virus in Ukraine” by the U.S. The hacker planned similar leaks, adding, “We are people, and we want to live.”
What happened to COUG follows no real-world logic. While this leak may seem purely random, COUG isn’t alone and will soon be joined by more victims in this seemingly random act of hacking. According to NetDiligence/McGladrey’s 2015 Annual Cyber Claims study, middle market companies—those with revenues between $50 million and $1 billion—account for nearly half of all cyber claims.
Cybersecurity is still a relatively new issue for middle market companies, but the impact is dire. A 2016 report from The Ponemon Institution found the health care industry alone has likely suffered $6.2 billion in losses from data breaches. Of those health care companies breached, 79% have been hit twice or more and 45% five times or more.
“You can get really paranoid when you think about that stuff,” says Thomas Stewart, executive director of the National Center for the Middle Market. “But if you don’t get paranoid, you can make careless mistakes.”
Companies worrying about cybersecurity extend beyond health care and into the rest of the middle market. Manufacturers, car dealerships, law firms, banks and others now store more data online than ever, making these businesses susceptible to a series of hard-hitting breaches. Reliance on data will only grow, and with it the threat of breaches, as online data production is expected to be 44 times greater in 2020 than it was in 2009, according to technology provider CSC.
The Middle Market Under Attack
Brian Beyer, co-founder and CEO of cybersecurity company Red Canary, says middle market companies must stop thinking they are “too small to be targeted.”
“We primarily protect middle market companies and there are plenty of bad things targeting the middle market,” he says.
As ransomware, phishing and other simplistic hacks have become prevalent, Stewart says larger companies have become better at cybersecurity; they’ve invested more and protected themselves. Meanwhile, middle market businesses have found themselves “under attack,” especially those with large amounts of data.
The National Center for the Middle Market recently launched its Cybersecurity Resource Center to collect cybersecurity best practices. Stewart wants to create a “one-stop shop” for getting started in better protection online for the middle market.
More centralized information for the middle market may be a good start toward improvement, says Jacob Koering, attorney at Miller Canfield and co-founder of the firm’s cybersecurity and data privacy practice. Koering says the most common problem he finds in middle market companies is a dearth of concise, reliable information on cybersecurity best practices. Most firms are aware of potential issues but aren’t sure how to prioritize legal and technical problems.
“Navigating those issues requires knowledge of the technical capabilities of the company and its marketing and data retention needs, as well as the legal obligations and potential legal exposure related to the retention and storage of that data,” Koering says.
To start the improvement, NCMM released a survey of middle market cybersecurity that found:
86% of middle market firms say cybersecurity is important for their business, but only 22% have cyber insurance to protect assets from a breach.
45% of firms have an up-to-date strategy, while 30% of firms say they have no strategy.
75% say they haven’t been a victim of a hack, while 16% say they have, and 9% “don’t know.”
Source: National Center for the Middle Market
However, Stewart says there’s one thing they know about this third set of statistics: they’re incorrect. Companies, on average, don’t realize that they’ve been breached until about a half-year later, he says, so the number of those breached is likely higher.
There’s also some good news in the NCMM numbers. Sixty-one percent of middle market financial services companies say they have a current and annually renewed cybersecurity plan. The same is true for 54% of health care companies. Additionally, 49% say they talk about cybersecurity as part of the overall strategy at the board level with cybersecurity experts at the table, while 37% say they talk about it at the board level without cybersecurity experts.
“They may still not have a policy in place as you saw, but I think that’s a decent number,” Stewart says. “These numbers are probably getting better all the time.”
While spending on cybersecurity may seem like throwing money down a black hole, NCMM’s report tells a different story. Companies that rated cybersecurity as “extremely important” saw revenue growth of 7.8%, while those that deemed it “very important” saw revenue growth of 4.7% and those who rated it “not important” saw growth of 3.9%. The average breach costs approximately $4 million, per the Ponemon Institute, so it isn’t surprising to see companies saving money even when spending on cybersecurity.
Here are four tips for middle market organizations to improve cybersecurity:
1. Have a Plan
Koering says middle market companies must first have a plan to improve cybersecurity, including knowing what data they collect, why they collect it, where the data is stored and how the data is used. “Then, set up policies and procedures to protect the data consistent with best practices and legal obligations,” he says.
Stewart says finding a plan can come from assessing risk, followed by assessing the people, process and technology. This may mean bringing in outside help, hiring more employees or improving training, among other options. With any plan midmarket companies make, Stewart says assessing risk and planning for protection is a good way to start.
Beyer says visibility across the company and having the ability to interpret everything that is collected is an essential step in planning for cybersecurity.
“You don’t know what you don’t know about, so how can you prioritize which steps to take to improve your security?” he says. “Get a base-level understanding of what is happening in your environment and what threats you are facing so you can improve your security accordingly.”
2. Employees Must Be Secure
Ironically, Stewart says, technology is likely the most fretted-over cybersecurity threat, but also the easiest to secure. It’s the phishing attacks, carelessness about passwords, laptops left in taxis and other human-based errors that lead to the worst leaks.
Just consider the attacks that built one of the biggest storylines of the 2016 U.S presidential election. John Podesta, former chairman of the 2016 Hillary Clinton presidential campaign, gave his account information away via a phishing attack. So did retired four-star General Colin Powell. Phishing attacks—or messages made to look legitimate but sent maliciously to obtain secret information—aren’t easy for everyone to spot, so training employees on what to look for may need to become the new normal at middle market companies.
Who gets access to what data can also be an issue, Stewart says, as can the company’s familiarity with the FBI or other agencies that need to be notified once an attack occurs. “You should already have these contacts,” Stewart says.
Source: Ponemon Institute
Additionally, Beyer says allowing users to have local administrative rights is a “surefire way to get your company breached, regardless of all the shiny new security solutions you buy.”
Negligent or malicious employees are the reason for more than half of cybersecurity events, Koering says. The best way to avoid this kind of breach is to educate and train employees on cybersecurity practices. And training employees doesn’t mean executives or ownership can skip out, he says.
“Since executives and ownership often have access to more critical data and are more visible, and therefore more likely to be the target or subject of a phishing attack, compliance with cybersecurity best practices is even more critical for those individuals,” Koering says.
3. Cover Legal Risks
Businesses now hold more sensitive data online, which means more potential legal risks. Koering says there are different liability levels for breaches—including civil, regulatory and criminal—depending on the size of risk. For example, civil liability states that risk of loss increases on a per-record basis because of plaintiffs’ attorneys using class-action lawsuits as an enforcement mechanism, Koering says. Since these lawsuits are expensive, there must be a significant number of breached records to bring about litigation.
“For middle-market companies, therefore, the risk of civil liability is generally small until the number of compromised records is sufficient for a contingent-fee attorney to take notice,” Koering says. “Once they do, the cost of mitigation of damages has averaged over $185 per record. … Thus, in general, the more records, the more risk, in terms of costs of mitigation and potential civil liability.”
Regulatory and criminal risk depends on regulatory and legislative environments, Koering says. President Donald Trump’s choice of Dr. Joshua Wright to lead the transition of the Federal Trade Commission may signal a weakening of enforcement capabilities of the FTC, the body that has thus far led cybersecurity regulation. Less enforcement from the FTC is likely good news for small and middle market companies, he says.
“At the same time, we’re seeing increased legislative activity from the states regarding data privacy, especially in Delaware and California,” Koering says. “That activity, in turn, raises the possibility that state-based data privacy enforcement and litigation may grow to compensate for any decrease in federal enforcement. Unless that legislation includes more incentive to litigate, it is unlikely to increase the risk of cybersecurity breaches for small and midsize firms with limited numbers of data records.”
4. Protect the Crown Jewels
Some security can be one-size-fits-all, but Stewart argues that companies must protect their “crown jewels,” or data so valuable that any leak would be critical.
“You can’t be 100% safe. We know that,” Stewart says. “But the question is: What do you want to protect to a 99% degree of certainty? How do you interact with total risk management? Have you also talked through with your lawyers all the things that you need to do beforehand? Obviously you want to protect customer data, your personal data and yourself from litigation risk.”
This is an area that will make executives paranoid and keep them up at night, Stewart says, but there must be a measure of vigilance in protecting the crown jewels. “You can’t be causal about it,” Stewart says.
Breaches, like the one that happened to COUG, happen all the time. The problem is that not many get publicity, Beyer says, especially not as much coverage as the Target, Home Depot and Anthem breaches that affected millions. Middle market breaches tend to be in the vein of a pharmaceutical company that loses its prized formula or a financial institution that loses customer trust, Beyer says.
“In the middle market, these types of breaches can be devastating, even crippling,” he says. “I hope it doesn’t take a galvanizing event before executives start making changes. But I think most executives think it couldn’t happen to them.”