Middle-market companies have cultures, goals and business needs that are distinct from larger firms, and nowhere is that more true than with cybersecurity.

Fortune 500 companies and brands with household names are much more likely to recover their reputations following a data breach. While breaches are costly in financial terms to all companies, the damage to the brand of a middle-market company may not be survivable. Large companies can weather the storm of negative publicity and loss of reputation, but mid-markets often cannot: 60% of middle-market companies that are hacked are out of business within one year.

This presents a near-paralyzing scenario to middle-market managers – the mere spectre of a data breach presents business risks that are difficult for them to fathom.

In our work with middle-market companies, we’ve developed effective strategies to help companies respond to the risk and protect their vital digital assets. In fact, when the process is managed well, middle-market companies can respond to cybersecurity threats more quickly and effectively than larger businesses.

For middle market companies, the key is how the issue of cybersecurity is approached.

  1. Understanding the Risks. It’s important to begin cybersecurity discussions from a holistic standpoint, rather than from an IT standpoint – the answer for smaller firms is not to spend recklessly on technology; it is to understand the risks faced by the company. This is a company-wide concern, not simply a matter of firewalls and passwords. Before engaging security professionals, it is vital to identify and understand the information security threats facing the company. Cybersecurity is a set of business risks, not merely a technical risk.
  2. Understanding Available Resources. Few middle-market companies can afford multimillion-dollar security budgets. The key is not throwing money at the problem, but investing the right money at the right parts of the problem. Done correctly, preventative measures are less costly than the loss caused by breaches, and are most assuredly less expensive than the kind of brand and reputational damage than can put a middle market company out of business.
  3. Creating Language That Incites Change. It’s easy for those outside of IT to get lost in the sea of technical terms. But risks and solutions need to be discussed in terms that can be understood. More important, perhaps, is the need to use language that helps everyone in the company understand the conversion to a cyber-secure organization and the value the company places on its systems and data. Much of cybersecurity best practices come down to the “human factor:” how employees throughout the organization view computer and data hygiene. The more that training can emphasize “do,” which is proactive, rather than “don’t,” which is inherently reactive, the quicker an organization can fully embrace security as a company-wide goal. This also entails educating top management so they can communicate goals to the company as a whole.
  4. Learning What Questions Matter. Rather than leaving management to choke through bombarding analysis from technical teams, it’s important to educate management on the risks facing the company so that they can ask the right questions and come to agreement on which risks must be addressed and contained, and how best to do so. Being able to meaningfully engage with IT professionals and others, in terms that everyone understands, using metaphors and analogies that illuminate, is often the difference between an expensive program and a successful one.
  5. Privileged Conversations. Involving knowledgeable legal counsel from the beginning gives a company the confidence and security of privileged communication, allowing all involved to more freely discuss risks that need to be addressed, risks that will be tolerated, and where to focus resources.

Moving a company from fear of cost and risk to functional cybersecurity is more a matter of art than technology. It requires a relationship with an experienced, trusted professional who can help a company identify and understand cybersecurity risks, help the company select the technical expertise it needs and provide the kind of holistic guidance that is the hallmark of any cyber-secure organization. Framing the issues in a comprehensible way is the first step to finding the solution in a middle market company.