Great ResignationClimate ChangeLeadershipInflationUkraine Invasion

Why small firms mean big business for cybersecurity

May 20, 2015, 3:25 PM UTC
Vector of Internet Security Systems
Photograph by Getty Images

With the disturbing revelation that a hacker may have infiltrated the computer systems of a United Airlines flight and possibly interfered with its navigation, the issue of cybersecurity should take on a new sense of urgency.

This comes on the heels of many other recent high profile breaches. Hackers stole the credit card information of 70 million customers from retail giant Target in 2013 and 56 million from Home Depot in 2014; this year, health insurer Anthem announced that cyber thieves swiped 80 million social security numbers from its computers; and last year, online auction site eBay suffered an intrusion that left 145 million user records compromised.

The damage to companies in terms of consumer confidence, public image, and legal trouble from such incidents can be considerable, but nowhere are the effects of cybercrime more dangerous than in finance, where highly sensitive information, large sums of money, and people’s livelihoods can be jeopardized. The attack on JPMorgan Chase last summer, for example, that resulted in the theft of 76 million account holders’ data was a huge black eye for the bank.

Despite this, only 43% of Fortune 1000 companies have adequate technical safeguards against cyber risk, according to risk advisor Willis Group Holdings. Studies conducted by the SEC and FINRA on the financial industry also show a mixed picture. While most big institutions have reasonably robust controls in place, including strong governance, risk assessment, technical safeguards, written policies and procedures, training, and vetting of vendors and business partners, not all firms are performing these tasks as diligently as they could.

The situation is worse for small firms.

For one thing, as cyber threats evolve rapidly and become more sophisticated, financial institutions can be hard pressed to keep up with latest developments, according to a 2014 report by the New York Department of Financial Services. Also, while large banks can afford expensive in-house systems for protection, smaller companies may lack the resources, or even awareness, to secure themselves. That leaves them even more vulnerable to attack. Ironically, these companies also have the most to lose since cybercrime could have a debilitating effect on their business.

This presents a promising opportunity for vendors who can educate and help smaller firms implement cybersecurity defensive measures, such as setting up firewalls, intrusion prevention and management tools, user roles and policies, and communication and data encryption—at an affordable price.

Ranjeet Sodhi, CEO of Pevnost Inc., a New York-based firm that helps organizations plan, build, and execute cybersecurity programs, says that the cost of implementing an information security perimeter should be evaluated against the potential damage that a cyber breach could cause. A hack for a small firm can be devastating since the costs aren’t just limited to the immediate theft of financial or personal data (and lawsuits resulting from it), but also include private intercompany communications, vendor contract details, confidential business information, proprietary systems etc. Hackers could use such data to blackmail a company.

All of this illustrates the critical importance of cybersecurity for all organizations, but particularly smaller companies in the financial sector, and a sweet spot for cybersecurity vendors to focus on.

Kumar has worked in technology, media, and telecom investment banking. He has evaluated mergers and acquisitions in these sectors and provided strategic consulting to media companies and hedge funds. He does not own shares of any of the companies mentioned in this article.