Woman works from home on laptopWhen the working world went remote due to the COVID-19 pandemic, many never returned to the office. This created new data-security challenges for many businesses, with an increasing amount of sensitive data now being stowed in the cloud, and workers continuing to access company data from off-site locations.

How safe is cloud security, which now often relies on “zero trust” security principles based on a user’s location rather than user credentials? While some worry that cloud security is less reliable than on-premise security, that’s not actually the case, particularly for mid-market businesses. The fact is that your data is actually more secure in a remote data center managed by security experts than by your in-house IT team.

You may feel a false sense of security by having your IT department guard your servers in a closet — but this strategy is extremely risky when it comes to data protection. It’s not standard for mid-market IT departments to possess expert skills in cloud security and data security, which are needed to properly safeguard data. Many mid-market companies, particularly those not in highly regulated industries, do not currently have Security Operations Centers.

What’s more, it came to light at the end of 2021 that cyber-insurance renewals are becoming at times prohibitively expensive for all industries due to the exponential increase in cyber-attacks seen last year. The only way for mid-market companies in all industries to lower cyber-insurance premiums and ensure coverage is to implement enhanced data security measures.

Since data protection has become the most prevalent challenge in the cybersecurity market, it’s no surprise to see that according to Insights for Professionals, data protection is the main focus in 2022 for 85 percent of businesses surveyed; 37 percent plan to invest up to $500,000 on data protection in 2022, and 31 percent plan to invest more than $500,000 on data protection over the next 18 months. McKinsey also reports that 85 percent of midsize enterprises plan to boost their IT security spend until 2023.

All-Time High Cybercrime

Ransomware attacks increased over 105%Still, it would be misleading to imply that cloud security comes with no challenges. One of the biggest ongoing concerns are ransomware attacks, which increased over 105 percent in 2021. Cybercriminals continue to attain new levels of sophistication, with payment demands skyrocketing into tens of millions of dollars. According to McKinsey, the costs related to cybercrime will continue to ascend in the coming years, with a 15 percent yearly increase leading to cybercrime costs reaching $10.5 trillion a year in 2025. Looking ahead over the next decade, by 2031, Cybersecurity Ventures estimates ransomware costs alone should reach $265 billion.

McKinsey reports that there are multiple motivations for these attacks, headed by the fact that pandemic-weary companies have become ripe for security vulnerabilities. Also, as advancing digitization continues to drive connectivity and employees now log in from anywhere — including unsecured home networks — it makes life easier for ransomware hackers. The traditional smash and grab approach is now being replaced with bad actors “dwelling” undetected within victims’ environments, which gives cybercriminals the lay of the land in understanding where the highest value information resides before selling it to the highest bidder.

Another motivation for the continued attacks is their success: as more companies are forced to pay ransoms, hackers are further incentivized to build on their well-paid victories and continue innovating on this lucrative threat. Specific sectors are particularly at risk; keep in mind that in the U.S., supply-chain attacks rose 42 percent in Q1 of 2021, victimizing as many as 7 million people, while McKinsey shared that “security threats against industrial control systems and operational technology more than tripled in 2020.”  The war in Ukraine has taught us lessons about attacks compromising infrastructure, utilities and government that can debilitate nations and be weaponized.

Paying Up

These massive numbers can seem overwhelming, and can also make it difficult to tell how much a ransomware attack can affect an individual company. To give you some perspective, consider these stats:

  • NPR reported that Colonial Pipeline paid a $4.4 million ransom after the company shut down operations.
  • CNBC reported that global meat producer JBS paid ransomware hackers $11 million.
  • Insider reported that global insurance provider CNA Financial forked over a reported mind-blowing $40 million post-cyber-attack.
  • The Washington Post reported that a ransomware attack on U.S. software provider Kaseya targeted the firm’s remote-computer-management tool and endangered up to 2,000 companies globally.

These costs are also just the tip of the iceberg for the companies victimized by ransomware hackers. Additional costs of such an attack include everything from paying third parties (like legal, PR, and negotiation firms), not to mention the opportunity costs of having executives, staff, and teams disconnected from their day-to-day roles for weeks or months to deal with the attack’s aftermath. Perhaps the biggest unaccounted-for expense is the resulting lost revenue.

Ask These 4 Questions

What can mid-market companies do in the face of these threats to their data’s safety? They should focus on strategies that address ransomware prevention, preparation, response, and recovery. Since this is an ongoing journey, threats continue to evolve and improve — so it’s critical to keep up to date with new threats of increasing sophistication, while being ready with cybersecurity strategies and best practices. The goal is to continue to build cyber maturity that creates a resilient approach. You may not be able to stop attacks from occurring, but when they do, they won’t have the same impact if you’ve prepared in this way.

As a starting point, these are four questions that every mid-market company should ask itself to determine the organization’s readiness for data defense:

  1. When it comes to our people, do we have security focused IT leadership, trained cloud security experts, and data security experts?
  2. When it comes to our process, do we have defined IT security processes for proactively managing the security posture of our environments?
  3. When it comes to our technology, are we 100 percent confident in our security tech and our ability to actively monitor and detect threats around the clock?
  4. When it comes to our cloud architecture, are we confident that it allows for scalability without sacrificing security assurances?
Security components: people, process, technology, cloud

If the answer is “no” or “I don’t know” to any of these questions, it is time to get your house in order — you are at risk. To stay alive, compete, and drive value, mid-market companies should shift their focus to data analytics, data management, security, and compliance. This requires a cloud-based data center, a cloud-native data management platform, and cloud-native analytics. Ensuring the right infrastructure to maximize the capabilities of data centers — and how they are able to manage and store data — is crucial to effective mid-market digital transformation.