Jennifer Lawrence. Rihanna. Kirsten Dunst. These are but a few of the A list celebrities whose private photos were hacked and posted on the web. Their repositories? Some suggest other big names such as Apple’s iCloud and Dropbox were vulnerable to security breaches that allowed the photos to be stolen and distributed.

Most people will watch as the high-profile actors and artists scramble to scrub the compromising images from the Web, secure in the sense that their suggestive selfies would never appeal to a cybercriminal looking for his or her own 15 minutes of fame. That confidence is misplaced. Even businesses that don’t traffic in celebrities’ images –or in NSFW staff selfies– need to be on guard. A study by Symantec revealed businesses with 2,500 employees or less made up half of all targeted attacks even though another study by Neustar and IDG Research Services found that an overwhelming number (86%) of IT managers believe they are adequately protected.

Vulnerabilities Exposed

For midmarket businesses, the risk of cybercrime is enormous thanks to a potent cocktail of malicious code, increasingly sophisticated hackers, and many companies that encourage staff to bring their own device (BYOD) to use at work. Gartner anticipates that in three years, half of employers will require staff to supply their own smartphone or tablet with the majority of adopters being mid-size organizations. Apple’s iCloud in particular, was reported to have a security vulnerability for months before it came out with a patch.

According to the Neustar report, most companies rely on in-house technology to defend against attacks:

• 77 percent have firewalls
• 65 percent have routers and switches
• 59 percent have intrusion detection.

Only a little over a quarter (26 percent) use cloud-based mitigation services.

What You Don’t Know Could Cost You Big Bucks

That’s because most mid-size businesses are focused on growth, specifically investing in talent and technology to help boost marketshare. As such, many take a “set it and forget it” policy for their systems and data, assuming that backing up to the cloud is enough to keep the wheels turning in case of disaster. In doing so, companies are ignoring the potential impact a security breach could have on their banking or intellectual property, not to mention from a DDoS attack.

These Distributed Denial of Service (DDoS) crimes show up when powerful botnets –a digital army deployed to do nothing but target a site with messages– take down a company’s website. These are becoming more common as botnets can be rented for a pittance, often at just $7 per hour. Internet security provider Defense.Net revealed that DDoS attacks were up sixteen-fold over last year.

Cheap to deploy, but costly to clean up. The Ponemon Institute found that the average cost of committing a cybercrime rose 26 percent in 2013 to $11.6 million. Individual losses from the companies surveyed were as high as $58 million.

Even more insidious is that these crimes often go undetected for a long time as malicious code lies dormant in a system. Ponemon estimates it could take as many as 234 days for a company to clue in, but Neustar found that most DDoS attacks are detected about 4.5 hours after they start and mitigation doesn’t start until nearly five more hours pass. Neustar’s market manager for DDoS solutions Susan Warner explains, “An administrator may believe that if the system goes down for a few hours it’s not a big deal, but may not realize there is going to be hundreds of thousand of dollars of marketing spend lost for every hour of site downtime.”

And she adds, “If an attack results in an outage lasting days, the economic results could be catastrophic. To some companies, it could even be fatal.”