It hits consumers when banking information lands in malicious hands, leading to unapproved charges that are tough to dispute. Health insurers see it when their members' personal data is stolen, leaving policyholders vulnerable to identity theft. And companies of all stripes suffer when a hacker penetrates bank accounts, ordering wire transfers that can wipe out reserves in seconds.
A data breach is no longer an "if" proposition but a "when it happens" affair. In CIT's 2015 Voice of the Middle Market™ survey, data security was cited as the top business concern for executives, and the fastest growing. Eighty-three percent of executives mentioned data security as a concern this year, compared to 67 percent in 2014.
Almost half of respondents in our survey, covering companies reporting revenue between $25 million and $1 billion, said they were "very concerned" about data security this year.
Information security managers, finance officers and other executives who ultimately must respond to these cyber threats can take a number of steps to stay ahead of cyber adversaries.
Data breaches in retail, healthcare and social networks are among the assaults that have dominated news feeds in recent months. For mid-sized organizations, however, the human factor is arguably the biggest threat.
First, employees may not be properly trained to identify phishing attacks, when impersonators trawl for sensitive data. Employees may go online through insecure wireless networks, unwittingly exposing proprietary details to criminals. Passwords and flash drives get shared. Laptops and mobile devices are misplaced or stolen without proper procedures to protect the information on the devices.
Forward-thinking companies can take a number of steps to equip their teams for cyber-attack resistance.
Two-step and even multi-step verification can add additional layers of data security when sensitive information is at stake. Managers can require employees to change passwords at frequent intervals, and also mandate best practices for the configuration of passwords, such as numbers, letters and symbols. Firms can also require periodic training in cyber security awareness in order to ensure employees have up-to-date information on the threat environment.
Companies increasingly are viewing cyber awareness as a public policy matter. In our survey, data security was among the agenda items middle market executives said they'd like Congress to address in 2016.
Both chambers of Congress have already taken action on legislation that would govern data-sharing between companies and the federal government, but each chamber takes a different approach. It is possible that Congress will come to an agreement on final language in the next several months.
Private companies, meanwhile, are largely on their own when it comes to awareness of cyber threats. Corporations must navigate a patchwork of individual data breach notification statues in 47 states, the District of Columbia and several U.S. territories.
For mid-sized companies doing business across multiple jurisdictions, it's a costly undertaking to sort through the laws. Prevention of breaches from the outset as part a cyber protection program should also be top of mind for middle market executives.
Some companies have sought insurance to shoulder the costs of a data breach. Lost and stolen records cost an organization $3.8 million on average, according to a recent an independent study.
Many of the biggest insurers are limiting coverage to $100 million. For perspective, the Target data breach of 2013 cost $264 million, so companies suffering larger breaches may be end up covering costs out of pocket.
To be sure, only a small minority of firms have opted to take out such policies, however, and many of the latest policies don't cover the latest scams.
Corporate leaders should approach cyber insurance as they would any other vendor or provider - negotiating the coverage carefully to ensure they're protected from claims of negligence.
Leadership on cyber security is now part of the job description for mid-market executives.
For some firms, fulfilling that expanded role means tapping a chief security officer who reports to the CEO. At others, that means recruiting board members who "get" cyber security and can hold the C-Suite accountable for data protection. Some forward-thinking companies are even doing tabletop exercises, creating simulated data breaches with external experts - much like disaster drills.
The new normal in a digital world means companies can no longer get by without a strategy to address cyber threats, education for their teams and ongoing awareness of the business consequences when data ends up in the wrong hands.
Today's middle market companies are cutting the technology cord. On-premises software and equipment have given way to cloud computing across an array of business functions. Routine tasks, such as payroll and procurement can b