How Middle-Market Companies Can Reduce Cybersecurity Risks

In the past, middle-market companies thought they were too small to be the target of a cyberattack, but in recent years, that illusion has become increasingly difficult to maintain.

According to the 2019 Cybersecurity Special Report from RSM US, 15% of middle-market C-suite executives reported a data breach in the last year, an increase from 13% in 2018 and up 5 percentage points from four years ago.

Whether they’ve read about high-profile data breaches at largecap companies, such as Capital One and Equifax, or experienced an attack at their own company, executives are aware of the nightmare scenarios. Colin Zarbough, cybersecurity due diligence director at RSM, suggests it’s time to shift the focus of the conversation about cybersecurity. “I think there’s a real opportunity to educate businesses now, rather than just focus on war stories,” he says.

After consulting with hundreds of companies over his career, Zarbough has identified areas where middle- market companies leave themselves vulnerable.

Assessing Cybersecurity Posture

Many midsize companies have valuable data in the form of customer information and intellectual property but lack the resources of larger organizations—and hackers and other cybercriminals smell blood in the water.

The rising sophistication of criminals and malicious software coincided with companies’ growing reliance on digital technologies—such as virtual workspaces, accounting and human resource software, and other cloudbased services.

However, the security implications of these systems often receive insufficient scrutiny, Zarbough says. When a company adopts new software as it grows, such as more sophisticated sales tools, it’s not uncommon for business leaders to focus on scaling up those capabilities quickly, rather than giving IT personnel enough time to spot gaps in security.

Effective cybersecurity policies include routine procedures like data encryption and software updates, as well as assessments of the access employees or vendors have to certain types of information. Zarbough recommends compartmentalizing company data by department to minimize exposure in the event of a data breach. “An organization’s network security should look like a labyrinth or a maze,” he says. “You want it set up so that if a hacker gets into the environment, it’s hard to move around.”

When a company is acquired, the buyer too often performs what Zarbough calls “light” cybersecurity diligence, which is little more than box-checking. Even during transactions totaling hundreds of millions of dollars or more, companies only devote a few hours to cybersecurity considerations, he says. “If you’re laying out that amount of capital for an asset, to spend two or three hours to look at cybersecurity, I’m not sure how that computes.”

One large corporate buyer Zarbough worked with purchased 35 companies a year. It required each target company to fill out a 30-page questionnaire before they finalized the deal. “I would love to start to see that level of diligence across private equity funds,” he says.

Overcoming the Human Factor

Laura Bacon, managing director at Fahrenheit Advisors, a Richmond, Virginia-based advisory firm, remembers a time when information technology didn’t come with the serious security consequences to company value and reputation that it does today.

“When I first started doing M&A transactions what seems like eons ago, I think the only IT question on our due diligence checklist was ‘How many computers do you have and do you have the appropriate number of software licenses?’” she says.

Bacon has held finance, strategic planning and corporate development roles in public and private companies, and she has managed over $1.5 billion in completed M&A transactions. Since she entered the technology space in 2001 as the CFO of a software company, Bacon has seen how companies have succeeded and failed with their cybersecurity countermeasures and how they can impact M&A. “It’s a completely different world today,” she says. “You must evaluate the risks and understand the vulnerabilities an acquired company can bring to the parent company.”

The biggest vulnerability, according to Bacon, is human behavior: An employee clicked on a bad link, they fell for a fraudulent e-mail, or they kept their password on a sticky note on their desk. Human error can extend up the corporate ladder, too. She says company leaders can be their own worst enemy when constructing cybersecurity defenses.

While working for one company in a previous role, Bacon recalls enforcing a password change every 90 days—a best practice, she says—which frustrated the CEO, who saw it as hampering progress. The experience taught her that even basic procedures require buy-in from management. “You have to have a champion in a senior role in the organization to lead the way to changing behaviors that will protect your company and its most valuable asset—data,” she says.

A Storm Before the Calm

Some cybersecurity systems and their procedures can cost as much as $1 million to set up—a significant barrier for companies as they try to address risks. But for companies looking to sell to private equity, implementing cybersecurity protections can be a way to appeal to prospective buyers.

“Showing that you have a robust compliance policy and practices in place will give investors confidence that you pay attention to the details and understand risk management,” Bacon says. “The value of business data is one of the main things [buyers] are paying for in an acquisition.”

Zarbough foresees more “cataclysmic” breaches at large companies, which may in turn convince middle-market investors to demand cybersecurity countermeasures as a non-negotiable feature when buying a business.

“Once that happens and it gets all these companies to start implementing the proper cyber risk process and procedures during the hold period, it will just be better for the entire ecosystem,” he says.

This story originally appeared in the September/October print edition of Middle Market Growth magazine. Read the full issue in the archive.