Content, Midmarket

Midsize Business Cyberattacks: A Security Reality Check


Ransomware bombshells hit large enterprises. Carpet-bomb cyberattacks target MSP software supply chains and their small business customers. But what's the state of cybersecurity among midsize businesses?

Actually, that landscape also faces its share of digital bombshells. Indeed, nearly two in three midsize organizations have suffered a ransomware attack in the past 18 months and 20 percent of them spent at least $250,000 to recover from it, according to research by UncommonX, an MSSP that leans heavily on its own SaaS-based solutions..

The Chicago-based MSSP’s newly released State of Cybersecurity for Midsize Organizations found that smaller companies are often not properly prepared to fend off a cyber attack nor do they engage in adequate network monitoring. In short, cybersecurity is often not enough of a priority within midsize companies.

Here are 10 findings from UncommonX’s study of some 220 IT professionals at midsize organizations:

  • More than one-third of businesses indicate that the pandemic has worsened their overall risk levels.
  • Roughly half said work-from-home is a key factor in increasing their cyber risk.
  • 11 percent felt more confident in their cybersecurity protection compared to 18 months ago.
  • Email fraud (53%), phishing (47%), cyber attacks (45%) and cloud account compromise (38%) are their greatest cybersecurity threats.
  • Nearly 50% of respondents indicated moderate to extreme concern that a ransomware attack would negatively affect their business.
  • Of the organizations that did suffer an attack, one in four lost customers and 31% saw daily operations and productivity impacted.
  • About 20% of midsize organizations said it took up to six months for their businesses to fully recover from a ransomware attack. It took even longer for another 12 percent.
  • More than half (53%) of midsize company IT decision makers said cybersecurity is a moderate to high priority for their particular group.
  • 70% believe their greater organization has not prioritized cybersecurity.
  • 35% have conducted a cyber risk assessment in the past year. Less than one-third indicated complete confidence that their networks were adequately mapped.

“There has been a misconception for some time that only large enterprises are attacked due to their perceived ability to pay and the complexity of their networks,” said John Morris, UncommonX chief executive. “Our study clearly demonstrates both the real threat of cybersecurity attacks as well as vulnerabilities midsize organizations face both from external threats but also because it isn’t a priority within the greater organization,” he said. “A one-and-done approach to preparing and monitoring for risks is no longer the answer.”

Co-Managed Security Services?

Among the wildcards to keep in mind: Midsize organizations often have some budget for dedicated IT staff and perhaps even cybersecurity professionals. With that in-house talent in mind, savvy mid-market MSSPs often offer co-managed security services.

The co-managed approach assigns specific cyber responsibilities to MSSPs and their end-customers. The challenge: Making sure specific risk responsibilities are properly assigned to the end-customer and/or the MSSP.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.