Security Challenges: 5 Midmarket IT Leaders On Where They Need Help
From ransomware and malware to the Internet of Things, midmarket IT leaders are staring down a number of security threats, often with limited resources at hand.
When it comes to staving off the plethora of security risks facing businesses today, midmarket companies find themselves in a precarious position: They face the same threats as much larger companies but with fewer financial and technical resources to combat them.
Whether it’s fear of ransomware, the need to mitigate the risks of insider threats or the proliferation of Internet of Things devices at home that now pose a threat through remote workers, IT executives at midmarket companies said they are staring down security challenges from all sides, and they are implementing a number of different tactics to do it.
“There’s VPN, there’s multifactor authentication, there’s training and there’s all these security things that are coming with this new paradigm shift of being able to do work [remotely],” said Herman Brown, CIO of the San Francisco District Attorney’s Office.
The IT security landscape looks very different today than it did just a few years ago, said Paul Furtado, vice president, analyst, within Gartner’s Midsize Enterprise Security practice.
“Three years ago, nobody foresaw that we’d be moving 100 percent of our workforce—for a lot of us—to a remote environment,” Furtado said during a keynote address at the MES IT Security conference this week in Indianapolis, an event produced by CRN parent The Channel Company. “And yes, we’re now starting to see trends where companies are bringing folks back into the physical facilities, back into the offices, but the reality is we always have to have a level of hybrid work in our environment. If we don’t, it’s going to impact our ability to retain, and in some cases, even attract talent.”
In addition, bad actors are moving more quickly to weaponize any tool or vulnerability they can use to their advantage, Furtado said.
“ChatGPT, OpenAI, those types of tools, they’re now bringing low-code/no-code malware development to the masses. The frequency of attacks is going to get worse,” Furtado said. “That doesn’t necessarily mean they’re going to be more successful, but we’ve got to be paying attention to that because you know that guy you [angered] that didn’t like his last [performance] review? He now has a tool, even though he’s not a developer, that can generate some malware for him, and he can use it to attack your organization.”
CRN spoke with several midmarket IT leaders at the event about what security challenges they’re facing and what areas they need help in. Here’s what they had to say.
VP, Global Digital Solutions
Field, who heads up the IT department at Precipart, a contract manufacturing company based in Farmingdale, N.Y., said that while phishing has a lot of buzz right now, it’s actually malware that has him most worried.
“Malware makes me nervous because something could be sitting on my data for a long, long time,” Field said. “If you get hit with some sort of malware and you’re down, that’s the highest cost possible. We’re down, our business is down, everyone’s down [and] you’re fired.”
Field expects his spending on security to increase each year, particularly as new technologies such as augmented reality/virtual reality headsets get introduced into the design and manufacturing process, bringing with them a new rash of security implications that need to be explored.
“If Boeing has the nose cone of an airplane that doesn’t open up anymore, they put AR goggles on and they put their hands into the nose cone [virtually], and they don’t have to look at anything, so now we have to find a way to secure AR goggles and that data,” Field said. “What if you pick up my goggles now, are you me? How does that work? We still don’t understand that security concept, so I don’t think the budget for security will go down. I continue to increase my security budget every year.”
Door County Medical Center
Shipp is part of a team of nine people responsible for the IT needs of a Sturgeon Bay, Wis.-based critical access hospital, a class of medical facilities that target rural U.S. areas. The team manages 1,000 endpoints and 200 servers while grappling with the challenges of finding technical talent and keeping budgets in check.
“We are already a small team. Everybody’s wearing multiple hats, everybody’s got multiple responsibilities,” Shipp said. “One of my jobs—one of my hats—is to try to figure out how can we a) cut costs, b. actually implement security that we need to implement, and c) do it without burning people out.”
It’s a task made more difficult by the fact that hospitals like Door County Medical Center make attractive targets for hackers, he said.
“You can talk to any security expert and they’ll tell you health care is the No. 1 [target],” he said. “Specifically, midsize health care is at the top of attackers’ lists.”
One item on Shipp’s wish list is to implement a new security training program for the hospital’s employees.
“You want to have a successful security training program, but I work with doctors and I don’t want to [make them angry]” Shipp said. “One of the things that I’m looking for is maybe we can find a better security training solution that’s maybe a little cheaper but, more importantly, will not make them upset and make them want to actually [complete the training].”
Operations, Security Manager
William H. Sadlier
With so many employees working from home, the security risks associated with Internet of Things devices now have Hines worried.
“There are multiple areas to be concerned with, but what has shot to the top of my mind as a result of this conference, actually, is the [IoT devices] in the home,” said Hines, who is part of the four-person IT team at William H. Sadlier, an education publisher based in New York. “A lot of times [hackers] gain access [to networks] via home devices, and then you get onto a computer that you would use to VPN into work.”
Like many employers in the post-pandemic era, the publisher offers a hybrid work environment with a policy that asks employees to be in the office at least two days per week and is grappling with the security concerns that come with it, Hines said.
“It’s the things outside the [corporate] network that we don’t think about so much that are a likely attack point,” Hines said. “We can’t really harden everybody’s household.”
Ridgecrest Regional Hospital
As the head of IT at Ridgecrest Regional Hospital in Ridgecrest, Calif., Patrick is facing challenges felt by many midmarket companies: difficulty finding and retaining technical talent and working within a budget.
“Health care right now is particularly challenged … and what people don’t really understand about health care is we’re kind of unique in that we can’t just raise our prices. Our reimbursements are based on the insurance companies and what they’re going to pay us. Those rates are set.”
He’s also on high alert when it comes to ransomware, particularly because the health-care data he’s tasked with protecting is seen as a high-value target.
“The information that the attackers want is more than just credit card numbers. The information associated with health care is information you can’t change,” Patrick said. “You can’t change your Social Security number, you can’t change your medical record … whereas a credit card number, you can just cancel a credit card number.”
San Francisco District Attorney’s Office
When asked what his biggest challenge is right now, Brown doesn’t hesitate to answer: “People.”
“I always talk about technology, process and people, and technology is the easy piece of it,” said Brown, the CIO for the San Francisco District Attorney’s Office, who is part of a team of eight. “It’s the process that becomes a little bit more difficult as people usually work in silos, and they know their piece of the process, but they don’t understand or know the entire process, but you can get them together and figure that piece out. But the people themselves as individuals are always a challenge because they have different skill sets, different understanding, different desires, especially when you’re talking government where you have employees that have been with the department or the city for 20, 25 years.”
It’s critical to ensure that employees understand why security practices are being implemented and the importance behind them, he said.
“What gets overlooked a lot, I think, is the insider threat,” Brown said. “For the staff, our end users, it’s the training for them, getting them on board and understanding the importance of security, and that security is not just something that’s the responsibility of IT.”
The risks are high whether it’s an employee unwittingly enabling an attack or a disgruntled insider who purposely aims for sabotage, he said.
“A breach is a breach, whether it’s done purposefully or by accident, and you have to be concerned with both,” he said. “If it’s something that’s malicious, then you take a certain approach to that. And if it’s something that’s happened by accident, then you want to train, you want to educate.”