Ninety percent of all U.S. companies (not to mention our clients) are classified as “midsize enterprises” (MSEs), which Gartner Research defines as organizations with 100-1000 employees, or $50M to$100B in revenue. Of those, organizations that support 500-3,000 users tend to have an IT security team managed by just two or three people, according to Gartner’s Security and Risk Management Leaders initiative, and 40% of MSEs don’t have any cybersecurity expert in-house, creating a void is usually filled by network engineers or IT managers.
Such “lean” security teams will inevitably have a tougher time covering all their IT security bases and responding in the event of an attack—and end up even bigger targets as a result. While large organizations often grab headlines, a recent study evaluating the State of Cybersecurity for Midsize Organizations found that almost 2/3rds of MSEs endured a ransomware attack in the last 18 months.
If these numbers show us anything, it’s that MSEs have as much to solve as both larger and smaller enterprises. But IT security protocols aren’t “one strategy fits all,” so let’s explore what does better fit MSEs.
At the heart of the challenges for MSEs and their security? Most prevailing IT security strategies are designed to deploy over far larger enterprises or smaller, manageable networks. But because organizations come in all different kinds, they face all different sorts of threat vectors.
For midsize enterprises, threats tend to be exacerbated by poor visibility. Strategic patch management and deployment, for instance, should be a priority for any midsize IT security team. According to a Ponemon Institute Vulnerability Survey, 60% of data breaches can be attributed to unpatched vulnerabilities. Plus, analysts Patrick Long and Mitchell Schneider from Gartner warn that by 2025, 70% of MSEs with a traditional, “frontal” approach to vulnerability management will have been breached.
What’s the takeaway for MSEs? Don’t take patch management as a challenge to patch as many vulnerabilities in as short a time as possible. Long and Schneider note that one of the most significant challenges to MSEs is keeping up with the slew of vulnerabilities that routine scanning cycles are sure to uncover. Instead, work smarter by identifying critical infrastructure, endpoints, and applications, and prioritizing them in your remediation efforts.
Some systems will have prioritization capabilities. Gartner recommends a vulnerability impact analysis, which will need to be performed routinely as your enterprise grows and takes on more important assets. Common Vulnerability Service Scores (CVSS) are a strong baseline, but it’s equally important to stay tapped into the threat intelligence of the day. In the end, knowing your most vulnerable assets won’t tell you whether those assets are actively being targeted by hackers. Your IT security team should be prepared to do their research and refocus their attention accordingly.
Additionally, bolster your security architecture with strategic layering of controls. MSEs are at risk of collecting security controls with overlapping functionality that ultimately don’t protect more than the data on the surface. Talk to your security vendor about evenly distributing levels of security tools for an effective barrier against attacks on all fronts. Security controls should ideally fit together like puzzle pieces—and the better they work together, the stronger a defense they’ll be for your MSE.
This Size Fits All
In any effective IT security strategy, including for MSEs, preventative measures matter. And yet reality paints a concerning picture, where 65% of organizations surveyed for the State of Cybersecurity study hadn’t conducted a risk assessment in the time sampled. The consequences were costly: of the 2/3rds hit with ransomware, 20% paid $250,000 or more to recover in full, 31% reported a drop in daily operations and productivity, and 20% noted that their total recovery time was between one and six months. To help avoid a cyber-attack in the first place, budget for regular and robust security assessments to ensure your cyber-defenses are up to par—you’ll end up saving in the long-run.
A Fitting Partner
Not all vendors are created equal, and rare is the one with deep and dedicated MSE security experience. So if you’re going to complement your in-house team, choose an expert partner who truly knows your space.
BAI Security was founded in 2007 by IT Security expert Michael Bruck to serve MSEs with high quality, yet cost-effective offerings. Specializing in serving MSEs in the most highly regulated sectors, our exhaustive IT Security Assessment utilizes only best-in-class tools, giving clients the deepest dive and most accurate results possible, along with customized recommendations for remediation. See our whole array of customizable offerings here.
Work with an MSE security expert to reduce risk and elevate your security posture—contact us today.