Middle-market companies have cultures, goals and business needs that are distinct from larger firms, and nowhere is that more true than with cybersecurity.
Fortune 500 companies and brands with household names are much more likely to recover their reputations following a data breach. While breaches are costly in financial terms to all companies, the damage to the brand of a middle-market company may not be survivable. Large companies can weather the storm of negative publicity and loss of reputation, but mid-markets often cannot: 60% of middle-market companies that are hacked are out of business within one year.
This presents a near-paralyzing scenario to middle-market managers – the mere spectre of a data breach presents business risks that are difficult for them to fathom.
In our work with middle-market companies, we’ve developed effective strategies to help companies respond to the risk and protect their vital digital assets. In fact, when the process is managed well, middle-market companies can respond to cybersecurity threats more quickly and effectively than larger businesses.
For middle market companies, the key is how the issue of cybersecurity is approached.
- Understanding the Risks. It’s important to begin cybersecurity discussions from a holistic standpoint, rather than from an IT standpoint – the answer for smaller firms is not to spend recklessly on technology; it is to understand the risks faced by the company. This is a company-wide concern, not simply a matter of firewalls and passwords. Before engaging security professionals, it is vital to identify and understand the information security threats facing the company. Cybersecurity is a set of business risks, not merely a technical risk.
- Understanding Available Resources. Few middle-market companies can afford multimillion-dollar security budgets. The key is not throwing money at the problem, but investing the right money at the right parts of the problem. Done correctly, preventative measures are less costly than the loss caused by breaches, and are most assuredly less expensive than the kind of brand and reputational damage than can put a middle market company out of business.
- Creating Language That Incites Change. It’s easy for those outside of IT to get lost in the sea of technical terms. But risks and solutions need to be discussed in terms that can be understood. More important, perhaps, is the need to use language that helps everyone in the company understand the conversion to a cyber-secure organization and the value the company places on its systems and data. Much of cybersecurity best practices come down to the “human factor:” how employees throughout the organization view computer and data hygiene. The more that training can emphasize “do,” which is proactive, rather than “don’t,” which is inherently reactive, the quicker an organization can fully embrace security as a company-wide goal. This also entails educating top management so they can communicate goals to the company as a whole.
- Learning What Questions Matter. Rather than leaving management to choke through bombarding analysis from technical teams, it’s important to educate management on the risks facing the company so that they can ask the right questions and come to agreement on which risks must be addressed and contained, and how best to do so. Being able to meaningfully engage with IT professionals and others, in terms that everyone understands, using metaphors and analogies that illuminate, is often the difference between an expensive program and a successful one.
- Privileged Conversations. Involving knowledgeable legal counsel from the beginning gives a company the confidence and security of privileged communication, allowing all involved to more freely discuss risks that need to be addressed, risks that will be tolerated, and where to focus resources.
Moving a company from fear of cost and risk to functional cybersecurity is more a matter of art than technology. It requires a relationship with an experienced, trusted professional who can help a company identify and understand cybersecurity risks, help the company select the technical expertise it needs and provide the kind of holistic guidance that is the hallmark of any cyber-secure organization. Framing the issues in a comprehensible way is the first step to finding the solution in a middle market company.
JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.
Michael A. Gold is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Known for both legal expertise and an understanding of technology, he works with Boards of Directors, C-Suite executives, and IT directors to address cyber risks. He advises clients on domestic and international requirements for information privacy and security. He represents companies in complex litigation and arbitrations, including class action defense actions connected with data breach and privacy claims. Contact Mike at MGold@jmbm.com or +1 310.201.3529.