1. Home
  2. Knowledge Hub
  3. Mid-sized businesses must defend against cyber risks

Mid-sized businesses must defend against cyber risks

April 3, 2019

It’s not a matter of if, but when a mid-sized business will be the victim of a cyberattack. Here’s why they can’t ignore cybersecurity concerns.

Senior Vice President, Head of Specialty Products E&O

Michelle Chia is the Head of Specialty Products Errors and Omissions (E&O) for Zurich North America,... About this expert

two men looking at computer screen

From the Fortune 500 to Main Street, businesses of all sizes are potential targets for cyber crime. And while breaches earning the biggest headlines are those targeting the largest corporations, mid-sized and smaller organizations share the same vulnerabilities. Indeed, middle market firms may be at greater risk. Most do not possess the same cyber defense infrastructure and expertise of larger organizations … and even with more robust defenses, large firms get hacked.

Sadly, cyber attacks on mid-sized companies are increasing even as these businesses continue to underestimate their risks. According to a recent report by the National Center for the Middle Market, the percentage of mid-sized firms being attacked has risen steadily over the past several years. Further, the true number of successful hacks is sometimes difficult to pin down; breaches often go undetected for 200 days or more, and many cyber attacks on mid-sized companies go unreported.

Cyber attacks can take a variety of forms

Most often, a network incursion is intended to steal and misuse customer or business information for financial gain or to cause simple mischief. Email attachments containing malicious code can launch malware designed to invade and corrupt data. Ransomware locks access to network data until a typically large ransom is paid. An attack on software running highly specialized equipment used by a particular industry, such as CAD equipment used in construction or diagnostic medical equipment used by hospitals and clinics and made by just one or two manufacturers, could disrupt an entire business segment at once.

Magnifying the risks are mounting regulatory regimes designed to protect citizens against the impacts of cyber attacks on personal data within the systems of businesses and other organizations. With the advent of Europe’s General Data Protection Regulation (GDPR) in 2018, U.S. companies of any size that collect personally identifiable information on EU citizens, such as online merchandise orders, may be subject to potentially huge fines if breaches are not reported within very strict timeframes. In the U.S., the restrictive California Consumer Privacy Act of 2018, slated to take effect in 2020, may become a template followed by other states.


Among the factors exposing middle market businesses to growing cyber risk is that many hackers correctly view smaller firms as backdoors into the networks of larger organizations. This may be the case when a client relationship requires the smaller firm to have access to the network of the larger entity. Because hackers know that mid-sized firms probably do not have defenses as effective as their larger partners, the smaller enterprise represents a softer and more attractive means to an end.

What should mid-sized firms do to strengthen their cyber defenses and protect their networks, data and business viability?

It begins with the realization that a cyber attack is a matter of when … not if. All mid-sized businesses, from construction to manufacturers and retailers, need to have cyber disaster plans in place, crafted with the assistance of experienced cyber risk engineering professionals. With expert help, mid-sized businesses need to conduct periodic vulnerability scans to determine where they might be hacked and whether an attack has already occurred. Such assessments can bring mid-sized firms up to at least a minimum level of resilience and security awareness.

When considering cyber risk, it remains unfortunately true that the human factor remains the weakest link. Employee training will raise awareness of cyber security’s best practices, such as how to identify phishing attempts and how to practice good password and internet security protocols. Cyber risk training needs to be formalized and given the same emphasis as safety and operational training on critical business equipment, if necessary with the assistance of outside expertise.


Encrypting data within a network and when communicating information to and from customers and suppliers adds an important, additional level of protection. Even if hackers penetrate network security, any encrypted data they access will be unusable without the appropriate key.

Networks should also have strong authentication and authorization protocols, be they username/password combinations, certificates, tokens or other techniques to increase assurance that only authorized users may gain access. And, of course, cutting-edge virus and malware defenses should be installed and updated frequently to thwart the increasingly clever, fluid and diabolical tactics used by cyber criminals.


Finally, accessing professional cyber risk insurance solutions increasingly available in the global insurance marketplace is a wise, strategic move that should be considered by any size business concerned about the impact of a breach on its profits, customers and reputation.

The risk is real and growing literally every day. However, with effective planning and proactive measures, middle market businesses can make significant headway in strengthening cyber defenses and resilience. The first and most important step is simply to realize that every business – no matter its size and business segment – is at risk.

The information in this publication was compiled from sources believed to be reliable for informational purposes only. All sample policies and procedures herein should serve as a guideline, which you can use to create your own policies and procedures. We trust that you will customize these samples to reflect your own operations and believe that these samples may serve as a helpful platform for this endeavor. Any and all information contained herein is not intended to constitute advice (particularly not legal advice). Accordingly, persons requiring advice should consult independent advisors when developing programs and policies. We do not guarantee the accuracy of this information or any results and further assume no liability in connection with this publication and sample policies and procedures, including any information, methods or safety suggestions contained herein. We undertake no obligation to publicly update or revise any of this information, whether to reflect new information, future developments, events or circumstances or otherwise. Moreover, Zurich reminds you that this cannot be assumed to contain every acceptable safety and compliance procedure or that additional procedures might not be appropriate under the circumstances. The subject matter of this publication is not tied to any specific insurance product nor will adopting these policies and procedures ensure coverage under any insurance policy.

Comments with LinkedIn

You are logged in as (Logout)

Input is not correct!

0/180