Four Things Middle Market Companies Must Do to Improve Cybersecurity

Hal Conick
Marketing News
Current average rating    
Key Takeaways

​What? Only 45% of middle market companies have an updated cyber-defense plan.

So what? The health care industry alone has suffered $6.2 billion in losses from cybersecurity. The rest of the middle market take action to protect itslef. 

Now what? Middle market companies should have a plan for security, ensure employees are keeping company​ data safe and know the legal and monetary risks of a data breach.

​Jan 30, 2017

Middle market companies talk about cybersecurity, but only 45% have an up-to-date defense plan. How can the middle market protect itself from costly data breaches?


On a warm Ohio morning in August, a Ukrainian hacker threw a middle market health care group into complete disarray. It was random and it was swift. 

The hacker, known as @PravSector, posted 156 GB of patient data from The Central Ohio Urology Group. COUG claimed the breach impacted 300,000 patients. The leak included full names, diagnoses, telephone numbers, insurance account numbers and postal addresses, all posted in plain text on Google Drive, according to

In claiming responsibility for the breach, @PravSector told the leak was politically motivated, a warning so that “no one thought to poison our people with the virus from secret laboratories.” COUG was not involved with any poisonings or secret laboratories, but the hacker wanted to bring attention to supposed “secret trials of virus in Ukraine” by the U.S. The hacker planned similar leaks, adding, “We are people, and we want to live.”

What happened to COUG follows no real-world logic. While this leak may seem purely random, COUG isn’t alone and will soon be joined by more victims in this seemingly random act of hacking. According to NetDiligence/McGladrey’s 2015 Annual Cyber Claims study, middle market companies—those with revenues between $50 million and $1 billion—account for nearly half of all cyber claims.

Cybersecurity is still a relatively new issue for middle market companies, but the impact is dire. A 2016 report from The Ponemon Institution found the health care industry alone has likely suffered $6.2 billion in losses from data breaches. Of those health care companies breached, 79% have been hit twice or more and 45% five times or more.


 Ransomware - Anatomy of an Attack


“You can get really paranoid when you think about that stuff,” says Thomas Stewart, executive director of the National Center for the Middle Market. “But if you don’t get paranoid, you can make careless mistakes.”

Companies worrying about cybersecurity extend beyond health care and into the rest of the middle market. Manufacturers, car dealerships, law firms, banks and others now store more data online than ever, making these businesses susceptible to a series of hard-hitting breaches. Reliance on data will only grow, and with it the threat of breaches, as online data production is expected to be 44 times greater in 2020 than it was in 2009, according to technology provider CSC.

The Middle Market Under Attack 

Brian Beyer, co-founder and CEO of cybersecurity company Red Canary, says middle market companies must stop thinking they are “too small to be targeted.”

“We primarily protect middle market companies and there are plenty of bad things targeting the middle market,” he says. 

As ransomware, phishing and other simplistic hacks have become prevalent, Stewart says larger companies have become better at cybersecurity; they’ve invested more and protected themselves. Meanwhile, middle market businesses have found themselves “under attack,” especially those with large amounts of data.

The National Center for the Middle Market recently launched its Cybersecurity Resource Center to collect cybersecurity best practices. Stewart wants to create a “one-stop shop” for getting started in better protection online for the middle market. 

More centralized information for the middle market may be a good start toward improvement, says Jacob Koering, attorney at Miller Canfield and co-founder of the firm’s cybersecurity and data privacy practice. Koering says the most common problem he finds in middle market companies is a dearth of concise, reliable information on cybersecurity best practices. Most firms are aware of potential issues but aren’t sure how to prioritize legal and technical problems. 

“Navigating those issues requires knowledge of the technical capabilities of the company and its marketing and data retention needs, as well as the legal obligations and potential legal exposure related to the retention and storage of that data,” Koering says. 

To start the improvement, NCMM released a survey of middle market cybersecurity that found:

  • 86% of middle market firms say cybersecurity is important for their business, but only 22% have cyber insurance to protect assets from a breach.

  • 45% of firms have an up-to-date strategy, while 30% of firms say they have no strategy.

  • 75% say they haven’t been a victim of a hack, while 16% say they have, and 9% “don’t know.” 


Source: National Center for the Middle Market

However, Stewart says there’s one thing they know about this third set of statistics: they’re incorrect. Companies, on average, don’t realize that they’ve been breached until about a half-year later, he says, so the number of those breached is likely higher. 

There’s also some good news in the NCMM numbers. Sixty-one percent of middle market financial services companies say they have a current and annually renewed cybersecurity plan. The same is true for 54% of health care companies. Additionally, 49% say they talk about cybersecurity as part of the overall strategy at the board level with cybersecurity experts at the table, while 37% say they talk about it at the board level without cybersecurity experts. 

“They may still not have a policy in place as you saw, but I think that’s a decent number,” Stewart says. “These numbers are probably getting better all the time.”

While spending on cybersecurity may seem like throwing money down a black hole, NCMM’s report tells a different story. Companies that rated cybersecurity as “extremely important” saw revenue growth of 7.8%, while those that deemed it “very important” saw revenue growth of 4.7% and those who rated it “not important” saw growth of 3.9%. The average breach costs approximately $4 million, per the Ponemon Institute, so it isn’t surprising to see companies saving money even when spending on cybersecurity. 

Here are four tips for middle market organizations to improve cybersecurity:

1. Have a Plan

Koering says middle market companies must first have a plan to improve cybersecurity, including knowing what data they collect, why they collect it, where the data is stored and how the data is used. “Then, set up policies and procedures to protect the data consistent with best practices and legal obligations,” he says. 

Stewart says finding a plan can come from assessing risk, followed by assessing the people, process and technology. This may mean bringing in outside help, hiring more employees or improving training, among other options. With any plan midmarket companies make, Stewart says assessing risk and planning for protection is a good way to start. 

Beyer says visibility across the company and having the ability to interpret everything that is collected is an essential step in planning for cybersecurity.

“You don’t know what you don’t know about, so how can you prioritize which steps to take to improve your security?” he says. “Get a base-level understanding of what is happening in your environment and what threats you are facing so you can improve your security accordingly.”

2. Employees Must Be Secure

Ironically, Stewart says, technology is likely the most fretted-over cybersecurity threat, but also the easiest to secure. It’s the phishing attacks, carelessness about passwords, laptops left in taxis and other human-based errors that lead to the worst leaks. 

Just consider the attacks that built one of the biggest storylines of the 2016 U.S presidential election. John Podesta, former chairman of the 2016 Hillary Clinton presidential campaign​, gave his account information away via a phishing attack. So did retired four-star General Colin Powell. Phishing attacks—or messages made to look legitimate but sent maliciously to obtain secret information—aren’t easy for everyone to spot, so training employees on what to look for may need to become the new normal at middle market companies. 

Who gets access to what data can also be an issue, Stewart says, as can the company’s familiarity with the FBI or other agencies that need to be notified once an attack occurs. “You should already have these contacts,” Stewart says. 


Source: Ponemon Institute

Additionally, Beyer says allowing users to have local administrative rights is a “surefire way to get your company breached, regardless of all the shiny new security solutions you buy.” 

Negligent or malicious employees are the reason for more than half of cybersecurity events, Koering says. The best way to avoid this kind of breach is to educate and train employees on cybersecurity practices. And training employees doesn’t mean executives or ownership can skip out, he says. 

“Since executives and ownership often have access to more critical data and are more visible, and therefore more likely to be the target or subject of a phishing attack, compliance with cybersecurity best practices is even more critical for those individuals,” Koering says. 

3. Cover Legal Risks

Businesses now hold more sensitive data online, which means more potential legal risks. Koering says there are different liability levels for breaches—including civil, regulatory and criminal—depending on the size of risk. For example, civil liability states that risk of loss increases on a per-record basis because of plaintiffs’ attorneys using class-action lawsuits as an enforcement mechanism, Koering says. Since these lawsuits are expensive, there must be a significant number of breached records to bring about litigation.

“For middle-market companies, therefore, the risk of civil liability is generally small until the number of compromised records is sufficient for a contingent-fee attorney to take notice,” Koering says. “Once they do, the cost of mitigation of damages has averaged over $185 per record. … Thus, in general, the more records, the more risk, in terms of costs of mitigation and potential civil liability.”

Regulatory and criminal risk depends on regulatory and legislative environments, Koering says. President Donald Trump’s choice of Dr. Joshua Wright to lead the transition of the Federal Trade Commission may signal a weakening of enforcement capabilities of the FTC, the body that has thus far led cybersecurity regulation. Less enforcement from the FTC is likely good news for small and middle market companies, he says. 

“At the same time, we’re seeing increased legislative activity from the states regarding data privacy, especially in Delaware and California,” Koering says. “That activity, in turn, raises the possibility that state-based data privacy enforcement and litigation may grow to compensate for any decrease in federal enforcement. Unless that legislation includes more incentive to litigate, it is unlikely to increase the risk of cybersecurity breaches for small and midsize firms with limited numbers of data records.”

4. Protect the Crown Jewels

Some security can be one-size-fits-all, but Stewart argues that companies must protect their “crown jewels,” or data so valuable that any leak would be critical. 

“You can’t be 100% safe. We know that,” Stewart says. “But the question is: What do you want to protect to a 99% degree of certainty? How do you interact with total risk management? Have you also talked through with your lawyers all the things that you need to do beforehand? Obviously you want to protect customer data, your personal data and yourself from litigation risk.”

This is an area that will make executives paranoid and keep them up at night, Stewart says, but there must be a measure of vigilance in protecting the crown jewels. “You can’t be causal about it,” Stewart says. 

Breaches, like the one that happened to COUG, happen all the time. The problem is that not many get publicity, Beyer says, especially not as much coverage as the Target, Home Depot and Anthem breaches that affected millions. Middle market breaches tend to be in the vein of a pharmaceutical company that loses its prized formula or a financial institution that loses customer trust, Beyer says. 

“In the middle market, these types of breaches can be devastating, even crippling,” he says. “I hope it doesn’t take a galvanizing event before executives start making changes. But I think most executives think it couldn’t happen to them.”

Recommended For You:
The Middle Market’s Cloud Computing Conundrum A Marketer’s Guide to the Dark Web Gain a Global Perspective at AMA Events

The Middle Market’s Cloud Computing Conundrum

A Marketer’s Guide to the Dark Web

Learn Best Practices at AMA Events


 Sign Up For Marketing News Weekly

Get the best marketing thought leadership delivered directly to your inbox!


Author Bio:
Hal Conick
Hal Conick is a staff writer for the AMA’s magazines and e-newsletters. He can be reached at or on Twitter at @HalConick.
Add A Comment :

Displaying 1 Comments
Xinghao Zhao
February 19, 2017

How to prevent a developing company from internet security breach is a one thing that can't be ignored. As it mentioned in the text, according to NetDiligence/McGladrey’s 2015 Annual Cyber Claims study, middle market companies—those with revenues between $50 million and $1 billion—account for nearly half of all cyber claims. But the problem is , some of the company realized this danger but they didn't do anything to protect themselves. And the rest of them didn't take it seriously and think this will never happen to them. Here are four suggestions. First, have a plan: get a base-level understanding of what is happening in your environment and what threats you are facing so you can improve your security accordingly. Second, secure employees. According to the chart above, employee negeligence is the highest. Third one is cover legal risks try not to do something against the law. The last one is protect the Crown Jewels. The company must have idea what data is important to them and secure those. If those being leaked and can cause huge damage to the company. So in conclusion, these four types breach are the most common, be prepared head of time.

Become a Member
Access our innovative members-only resources and tools to further your marketing practice.

 Marketing News


 Journal Content


 Marketer's Toolkit


 Upcoming Webcasts


 Top Stories


 White Paper Library