Doug PontiousMES IT Security Board member Doug Pontious breaks down the steps midsize enterprises must take to protect themselves in an attack.

Security must be every employee’s concern. It can’t just be delegated to a single group of employees or a department.

The prevailing wisdom throughout many small to midsize enterprises is that a company is truly in the minority if they haven’t experienced some type of security conflict, no matter how big or small.

Doug Pontious serves as the business intelligence and analytics executive at Amerisure, an insurance organization based in Farmington Hills, Michigan, specializing in managing risk for businesses in construction, manufacturing and healthcare.

Pontious says that companies need to look at security differently than they did in the past.

“Attacks and breaches coming at us are very automated. The old attacks were very targeted. Today, hackers can basically spray their attacks out across any business. And, the odds are in their favor.”

He believes that if a company hasn’t been breached, “it’s just a matter of when.”

In case a midsize enterprise is not fully prepared to handle a security breach, Pontious provides three steps companies should take to be ready for an eventual attack.

Fortify the Perimeter and Inside the Walls

Pontious explains that external fortification is a necessity, but there’s more to it than just that.

“Sophistication within the cybersecurity world is at an all-time high. It’s becoming very difficult for a lot of companies, especially smaller companies, to really keep pace with it.”

Pontious and the Amerisure security team have taken steps to ensure their data catalogs are up to speed, provide data governance, and implement data loss prevention to maintain their perimeter and infrastructure.

Train Your Employees

Pontious says Amerisure uses various campaigns and marketing blitzes to make sure employees are current on the latest security trends. The company even stages its own phishing attacks.

“We closely monitor it. It’s run by the business and IT department. We can actually track who -- in our enterprise, down to every single employee -- fell for it.”

Pontious says that if an employee is fooled by the phishing attack, they are required to take a security course.

Plan for the Day You’re Breached

Pontious says organizations must be ready for the inevitable day when they are breached.

“Have templates, legal involvement and corporate sponsorship in place for how you handle a breach from a regulatory standpoint. Your time to react once you know you’ve had a sizeable breach is very short.”

He says Amerisure is doing everything on their end to prepare with their executive team, PR and legal teams to know exactly what actions to take if they are attacked.

Pontious says the MES IT Security event is critical because it will allow attendees to learn more than just building a security strategy.

“We want attendees to actually get down into the possibility of understanding, learning some things, and having some actions they can actually take back and start working on. Our audience can actually obtain actionable items, not just stats.”

He says the MES IT Security event will also help midsize enterprises prioritize risk assessment and security spending, because, “now that this stuff is automated, we’re the same target as the big guys, although we have probably a fraction of the IT security budget.”

Lastly, Pontious emphasizes how the MES IT Security event will allow attendees to network with one another and build contacts that they can use to collaborate in the future.

“There’s nothing better than walking into the event, having a challenge or an issue, not quite knowing where to start, and sitting in a Boardroom next to a guy who says he solved it last week. You got such a major jumpstart on it, and you can do it for a fraction of the cost.”