Jacksonville Business Journal: Cybersecurity Threats are Expanding Beyond Large Organizations

The bad guys in cyberspace are going where there’s opportunity, which means small- and medium-size organizations are often viewed as being more vulnerable — but still valuable —targets. Small and medium-size companies are being singled out for a myriad cyberthreats that collectively cost businesses trillions of dollars a year.

These firms and government agencies may think firewalls and antivirus software are keeping them safe, but the evolution of cyber warfare has made them more vulnerable than ever before, say executives at Emtec Inc., a global information technology consulting firm based in Jacksonville.

“The level of attacks on these organizations is going up, and they’re becoming more sophisticated,” said Doug Goodall, managing partner of Emtec’s infrastructure services division. “Artificial intelligence is being deployed to make cyberwarfare even more efficient. Factor in Covid-19 and the rise of the remote workforce, and firewalls and anti-virus protection won’t be enough to stop threats like email phishing and other social engineering techniques, which leads to ransomware.”

Goodall referenced the Ponemon Institute’s “2019 Global State of Cybersecurity in Small and Medium-sized Businesses” report that found that 66% of small and medium-sized firms experienced a cyberattack over the past year, and 63% experienced a data breach. Those companies spent an average of $1.2 million because of damage or theft of IT assets and infrastructure.

The IT industry considers a data breach a security incident where personal data is accessed without authorization. In general, data breaches are also personal data breaches and may be accidental or deliberate. By comparison, a cyberattack is broader than a data breach, is deliberate and can be more disruptive to business.

Defenses being tested

Once an attacker gets into a network, it usually takes about 200 days before the breach is discovered, Goodall said. Cybercriminals wait patiently while gathering data before pulling the trigger.

“It’s like [someone] breaking into a house, hiding in a basement for months and you didn’t even know they were there,” Goodall said. “Once they do pull the trigger, they’re extremely effective.”

According to a 2019 study from Comparitech, Florida has had the fourth-most data breaches nationwide over a 10-year period – 523 incidents that exposed 353 million records. Recent examples of cybercriminal success in Florida include:

• In 2019, employees of NCH Healthcare System in Bonita Springs fell victim to an email phishing scheme that allowed the hacker to gain access to employee payroll records and email accounts. Those email accounts may have included patients’ names, dates of birth, driver’s license numbers and card payment and insurance information, according to a press release.
• In 2019, Riviera City paid $600,000 after a police department employee opened an email that led to a ransomware demand, ZDNet reported. It also resulted in the need to spend $941,000 to completely rebuild its IT infrastructure.
• Lake City suffered a ransomware attack in 2019 that forced it to pay $460,000. A personalized phishing attack that passed through spam filters and antivirus software led employees to click on emails that seemed like they had come from legitimate contacts, the New York Times reported.

Overcoming investment challenges

Not only do small- and medium-sized organizations have the same threat landscape as larger firms, they have three extra challenges, said Colwyn Warner, vice president of strategic client solutions at Emtec.

• Limited budgets lead to piecemeal solutions and not a comprehensive strategy to prevent, detect and resolve incidents.
• Internal resources called upon to support IT needs may not have the time or skillsets necessary to fully support the initiative.
• A limited cyber talent pool makes attracting cyber security experts challenging.

Warner said small- and medium-sized organizations can blunt those challenges by working with a technology consulting partner that can customize solutions for particular needs and budgets.

Partnering with an IT consulting firm allows organizations to move security into third-party hands, which can free up internal resources to focus on other mission-critical work and eliminate the need to compete with others for IT talent. And because IT services can now come from cloud-based platforms, organizations can pick from a menu of security options that can be implemented immediately, which eliminates the need to invest in expensive technology infrastructure.

Firms of all sizes can mitigate risks

Fast-growing organizations or those with compliance concerns generally are quick to act regarding cybersecurity, said Keason Drawdy, a senior cybersecurity solutions consultant at Emtec. Other organizations, however, incorrectly believe they aren’t big enough to be on a cybercriminal’s radar.

“It’s important for all organizations, regardless of size, to know they are not immune from a cyberattack,” Drawdy said. “All organizations should be in a state of constant vigilance because getting to 100% secure when it comes to cyber – there’s no such thing.”

“Security solutions should be looked at as a fundamental cost of doing business,” Warner said. “It shouldn’t be analogous to finding the cheapest insurance policy to cover basic needs.”

Small- and medium-sized organizations should conduct regular assessments of their IT systems so they have full visibility into all assets that need to be monitored and protected, said Emtec executives. A risk “scorecard” can help organizations understand the gap that exists between where they are and where they need to be, which will allow them to prioritize their spending.

If done correctly, Goodall said, a cyberstrategy will allow an organization to go on the offensive instead of thinking about security from a defensive position. That will impact the bottom line.

“From a business management perspective, if you’re the CEO, CFO or chief marketing officer, think about it like this – the more secure you are, the more competitive you are,” Goodall said. “Companies want to do business with organizations that they feel safe interacting with in this digital world. Investing in security should be seen as a growth strategy for your organization.”

To learn more about Emtec’s solutions and find out how risk score cards can help organizations evaluate their current cybersecurity measures, visit Emtec.

By Laura Newpoff – Contributor with The Business Journals Content Studio. This article first appeared in Jacksonville Business Journal on July 20, 2020.

Bridgenext combines outstanding talent and deep expertise across an expansive set of exceptional solutions to help clients realize their digital aspirations in ways that propel their businesses forward. Its global consulting and delivery teams across the U.S., Canada and India facilitate highly strategic digital initiatives through digital product engineering, automation, data engineering, and infrastructure modernization services, while elevating brands through digital experience, creative content, and customer data analytics services. Connect with us at https://www.bridgenext.com.