When it comes to staving off the plethora of security risks facing businesses today, midmarket companies find themselves in a precarious position: They face the same threats as much larger companies but with fewer financial and technical resources to combat them.
Whether it’s fear of ransomware, the need to mitigate the risks of insider threats or the proliferation of Internet of Things devices at home that now pose a threat through remote workers, IT executives at midmarket companies said they are staring down security challenges from all sides, and they are implementing a number of different tactics to do it.
“There’s VPN, there’s multifactor authentication, there’s training and there’s all these security things that are coming with this new paradigm shift of being able to do work [remotely],” said Herman Brown, CIO of the San Francisco District Attorney’s Office.
The IT security landscape looks very different today than it did just a few years ago, said Paul Furtado, vice president, analyst, within Gartner’s Midsize Enterprise Security practice.
“Three years ago, nobody foresaw that we’d be moving 100 percent of our workforce—for a lot of us—to a remote environment,” Furtado said during a keynote address at the MES IT Security conference this week in Indianapolis, an event produced by CRN parent The Channel Company. “And yes, we’re now starting to see trends where companies are bringing folks back into the physical facilities, back into the offices, but the reality is we always have to have a level of hybrid work in our environment. If we don’t, it’s going to impact our ability to retain, and in some cases, even attract talent.”
In addition, bad actors are moving more quickly to weaponize any tool or vulnerability they can use to their advantage, Furtado said.
“ChatGPT, OpenAI, those types of tools, they’re now bringing low-code/no-code malware development to the masses. The frequency of attacks is going to get worse,” Furtado said. “That doesn’t necessarily mean they’re going to be more successful, but we’ve got to be paying attention to that because you know that guy you [angered] that didn’t like his last [performance] review? He now has a tool, even though he’s not a developer, that can generate some malware for him, and he can use it to attack your organization.”
CRN spoke with several midmarket IT leaders at the event about what security challenges they’re facing and what areas they need help in. Here’s what they had to say.
Robert Field
VP, Global Digital Solutions
Precipart
Field, who heads up the IT department at Precipart, a contract manufacturing company based in Farmingdale, N.Y., said that while phishing has a lot of buzz right now, it’s actually malware that has him most worried.
“Malware makes me nervous because something could be sitting on my data for a long, long time,” Field said. “If you get hit with some sort of malware and you’re down, that’s the highest cost possible. We’re down, our business is down, everyone’s down [and] you’re fired.”
Field expects his spending on security to increase each year, particularly as new technologies such as augmented reality/virtual reality headsets get introduced into the design and manufacturing process, bringing with them a new rash of security implications that need to be explored.
“If Boeing has the nose cone of an airplane that doesn’t open up anymore, they put AR goggles on and they put their hands into the nose cone [virtually], and they don’t have to look at anything, so now we have to find a way to secure AR goggles and that data,” Field said. “What if you pick up my goggles now, are you me? How does that work? We still don’t understand that security concept, so I don’t think the budget for security will go down. I continue to increase my security budget every year.”
Paul Shipp
Cybersecurity Specialist
Door County Medical Center
Shipp is part of a team of nine people responsible for the IT needs of a Sturgeon Bay, Wis.-based critical access hospital, a class of medical facilities that target rural U.S. areas. The team manages 1,000 endpoints and 200 servers while grappling with the challenges of finding technical talent and keeping budgets in check.
“We are already a small team. Everybody’s wearing multiple hats, everybody’s got multiple responsibilities,” Shipp said. “One of my jobs—one of my hats—is to try to figure out how can we a) cut costs, b. actually implement security that we need to implement, and c) do it without burning people out.”
It’s a task made more difficult by the fact that hospitals like Door County Medical Center make attractive targets for hackers, he said.
“You can talk to any security expert and they’ll tell you health care is the No. 1 [target],” he said. “Specifically, midsize health care is at the top of attackers’ lists.”
One item on Shipp’s wish list is to implement a new security training program for the hospital’s employees.
“You want to have a successful security training program, but I work with doctors and I don’t want to [make them angry]” Shipp said. “One of the things that I’m looking for is maybe we can find a better security training solution that’s maybe a little cheaper but, more importantly, will not make them upset and make them want to actually [complete the training].”
Charles Hines
Operations, Security Manager
William H. Sadlier
With so many employees working from home, the security risks associated with Internet of Things devices now have Hines worried.
“There are multiple areas to be concerned with, but what has shot to the top of my mind as a result of this conference, actually, is the [IoT devices] in the home,” said Hines, who is part of the four-person IT team at William H. Sadlier, an education publisher based in New York. “A lot of times [hackers] gain access [to networks] via home devices, and then you get onto a computer that you would use to VPN into work.”
Like many employers in the post-pandemic era, the publisher offers a hybrid work environment with a policy that asks employees to be in the office at least two days per week and is grappling with the security concerns that come with it, Hines said.
“It’s the things outside the [corporate] network that we don’t think about so much that are a likely attack point,” Hines said. “We can’t really harden everybody’s household.”