Cybersecurity for Middle Market Companies

Published Mar 16, 2016

Co-chairs of the Jeffer Mangels Cybersecurity and Privacy Group, Robert E. Braun and Michael A. Gold, discuss cybersecurity for middle market companies. The other videos in this 4-part series include: Why companies need a cybersecurity training program; First steps to take when there’s a data breach at your company; and Impact of international privacy laws on U.S. companies.

Michael Gold: You know, one of the things that you and I encounter all the time is that smaller and middle market companies that tell us that they don't they need the kind of services that we offer, they don't think they need the kind of cybersecurity defenses you might see in larger companies because they are too small and they don't view themselves as a target. How realistic is that?

Bob Braun: That's entirely unrealistic. First of all, even a small company can have a tremendous amount of valuable information, and I think you and I both know that small companies don't just work in a vacuum, they work with large companies. They themselves can become a conduit for an intrusion for a breach. At a larger company one of their vendors or one of their customers could entirely ruin the company.

Michael Gold: So you probably agree, as I do, with the proposition that there are two kinds of companies: those that have been hacked, and those that have been hacked, but don't know they have been hacked yet.

Bob Braun: There's only two types, that's correct.

Michael Gold: Okay, tell me about some of the measures that middle market and smaller companies can take that can be within their budget, that can afford them the kind of protection that virtually all companies need now in the cybersecurity front.

Bob Braun: Well you cannot, despite everything we have said about the human factor being so important, you cannot overlook the technological aspect of it. But, a lot of these are very, very simple–having adequate virus protection and keeping it up to date, updating systems, making sure that you are not working with a virus protection that has lapsed, and that you maintain your operating system. And, secondly, one of the cheaper things to do is to train your employees, is to make this part of the regular training, part of the culture. I would say that one of the most important things and most cost effective things is to bring that to the very highest level. In fact, in a small company, because so much is done at the executive level–because the president or the chairman or the owner of the company is very often involved in some of the most intricate parts of the company–that's a very important person to train.

Michael Gold: Do you also find in a larger organization that there is often a disconnect between the people in the C-Suite and the Board of Directors, and the people who are responsible for the cybersecurity effort?

Bob Braun: I think it's a little bit more than a disconnect. I think there is sometimes no communication at all. You know, one of the problems at the C Suite is that these people take a very big picture very often, and have no background in security or in privacy. That's not what they're hired for–they're hired for long range planning. They are hired because they have the ability to help direct the company into certain areas. They're not down on the same granular level that the IT and security people are. And one thing you've talked about, and maybe you want to spend a minute, is the fact that there is a lack of comprehension because of the acceleration of change and the jargon so many of the IT people use.

Michael Gold: Well, one of the things that I find when I am counselling boards of directors and C-level officers and companies is that there is a disconnect. Sometimes the disconnect seems almost intentional, because with cybersecurity what you have is incredibly rapid change. You have extremely technical jargon, and you also have an almost unnatural reliance on the competence on the technology people in your organization that take care of cyber security. One of the issues that you and I see over and over and over again is that IT people are not cybersecurity people.

Very often, the IT staff of a company will be overburdened, not just with the day to day information technology work they need to do, but also the cybersecurity work that they have some knowledge about but are simply not trained to deal with. The cybersecurity mindset is a very different mindset than the information technology mindset. An information technology mindset is to keep the enterprise up and running, and it's all about business continuity. It's not to say that the IT people don't play a crucial role in the cybersecurity effort. Somebody who is focusing on cybersecurity is focusing on policies, focusing on the kind of cybersecurity infrastructure that's necessary–the interaction between the cybersecurity infrastructure and business continuity, communicating to major stakeholders in the company, what kinds of threats they're encountering, what they need to prepare for, how nimble do they have to be for the next generation of cyber threats. Those are the kinds of challenges I'm running into more and more.