Some regional variations surfaced in the EY Global Capital Confidence Barometer. For example, mid-market companies in China were more concerned about the threat of regulatory penalties linked to cybersecurity than those in other countries. This isn’t surprising, given the strict China Internet Security Law that went into effect in 2017.
Another regional issue we see is that most of the available cybersecurity budget and talent is in the US. In other markets — including South and Central America, the Middle East, Africa and Asia‑Pacific — these resources are much more limited. Considering that most of the world’s population lives in these areas, this creates a huge mismatch.
Also, many mid-market companies in the US and Europe use outsourced technology or support based in emerging markets, where there is limited cybersecurity talent or capability. In fact, much of the affordable technological innovation in the market now comes from such countries.
It is therefore relatively easy for attackers to bury or hide themselves in such small emerging-market companies and wait for a mid-market company to acquire their services. In this way, the mid-market firm can suddenly find that they themselves have been the victim of a Trojan horse attack.
Again, the mid-market companies we work with have seen this happening and know it is an issue. But they generally do not know how to respond, and they do not have a security plan fit for their businesses. In most cases, the robust cyber plan is developed and implemented after a breach.
The smaller companies that mid-market firms buy from are even less likely to have good cybersecurity. As a result, mid-market firms must be sure to check before buying any software or services, as well as before making any acquisitions of smaller companies.
Mid-size firms are often innovative, which tends to mean they rely on contract resources but do not always check the quality of the code they are integrating. Also, some assume that, when buying network connectivity, IT services and cloud applications, cybersecurity comes installed. But that is not necessarily the case. Such vendors can provide those services, but mid-size firms must check in advance before there is any integration of systems or data. In fact, they must not assume that any of their partners — whether core technology suppliers or not — has the right level of security.
Because of these vulnerabilities, we cannot emphasize enough how large a target mid-market companies present to attackers. If your company provides services to bigger companies — for example, updating hardware in smart meters — you may not think you are a prime target of cyber crime. In fact, you are at the top of the list. You must think about it less from a size or industry perspective and instead ask: “What risk do I pose to others?”