Mid-Market Cybersecurity: Getting the Basics Right

In recent months we’ve seen a rash of cyberattacks against big businesses, with potentially disastrous consequences: 

• A ransomware attack shut down Change Healthcare, the largest medical billing and payment system in the US. 
• A phishing attack victimized Microsoft(!), compromising the data from hundreds of executive accounts.  
• A Bank of America vendor was breached, compromising the personal data of tens of thousands of customers. 

It’s an expensive and embarrassing situation for these companies. And the businesses they in turn work with have suffered consequences as well—the Change Healthcare hack left thousands of medical providers unable to bill for their services.  

If these giant businesses can get hacked, how does a mid-market business protect itself? 

When we start with new clients, we talk about “getting the basics right.” A fundamental part of that is making sure the IT infrastructure and services are exactly what you need and up to date. If the basics aren’t right, then there’s no hope of looking at ways to use technology to grow the business and get ahead of the competition. 

To provide you with a head start, here are your priorities: 

Analyze your risks and plan accordingly.

Create a risk-and-issue log that defines all the risks in the business, prioritize them by level of risk, and have a plan for each of them—even if that plan is “do nothing.” 

Get insured.

Crime insurance covers the loss of money due to theft, fraud, or dishonesty and includes theft by hackers. Cyber insurance covers the losses resulting from a cyberattack. Add both to your portfolio as separate policies, not just add-ons to existing business insurance. 

Train your employees. 

Your people (which includes the CEO!) are the most vulnerable security point in your business. The more they understand what to look for, the better your chances of avoiding an attack. 

Don’t forget systems maintenance and physical security.

Your business won’t be safe if your offices aren’t secure, or your company devices are left sitting unattended outside the office. All systems and services—particularly those connected to the “outside world”—must always have the latest software patches.  

Get certified.

A good place to start is Cyber Essentials, an actionable framework from the US government. But you may also benefit from ISO27001, an international certification that proves to customers you take security seriously. 

The above priorities aren’t necessarily easy. But they’re not onerous, and they’re worth your time. Because a mid-market business doesn’t have the resources to bounce back from a cyberattack like Microsoft, but with the right steps you’ll greatly reduce the chance of a breach—and still have a viable business in the event of one. 

You can get more details about the basics in our new report: Solving Cybersecurity Risks in 2024: Six Steps to a Safer Business. Or if you have questions about any of these priorities, get in touch. We’re always up for a no-pressure conversation—about cybersecurity or any other IT-related aspect of your mid-market business.