The middle market continues to battle evolving cybersecurity risks

Cybersecurity continues to be a main concern for middle market companies, although the specific risks and challenges are constantly changing. The last year has presented a wide range of threats, from economic uncertainty to geopolitical concerns, and new dangers are always on the horizon. However, organizations are constantly making adjustments and appear to be taking a more proactive cybersecurity approach.

The 2023 RSM US Middle Market Business Index Cybersecurity Special Report leverages data from over 400 senior executives of middle market companies, detailing their cybersecurity and privacy challenges, the frequency and severity of attacks, and ongoing concerns. It provides a glimpse into how the largest segment of the U.S. economy is implementing controls and strategies to address security threats, fighting back against cybercriminals and preparing for what’s next.

While the cybersecurity risk environment remains very elevated, the MMBI report does provide some positive news. The number of breaches reported among middle market companies dropped slightly in this year’s data as protective strategies advance, new solutions become available and executives understand the consequences related to potential incidents. But companies cannot afford to let their guard down as threat actors are always lurking and attempting to exploit vulnerabilities.

The middle market remains a primary target for cybersecurity attacks as the threat environment has evolved over time. In the past year, companies have dealt with a wide range of threats, including ongoing geopolitical risks, an uncertain economy and the lingering effects of the COVID-19 pandemic. Now, more than ever, threats can come from several directions, so companies need to prepare.

As the amount and scope of cybersecurity attacks have increased in recent years, even the breaches at larger organizations that previously made national headlines barely garner public attention. We know that no company is completely immune to a breach, and attackers will work to find the most vulnerable targets for an attack. That often means focusing on smaller and midsized companies that may not have the budget and internal resources of larger organizations.

The positive news is that despite the increasing pressure from various threats, the number of reported breaches is slightly down as organizations generally appear to take cybersecurity challenges more seriously. But despite easing, the number is still elevated, and companies cannot afford to relax. Instead, they must continue to focus on expanding protections and implementing cybersecurity strategies that align with company investments and goals while criminals relentlessly pursue vulnerable systems, data and intellectual property.

“A critical element of any cybersecurity strategy is for boards to authorize investments in organizational, educational and cultural changes needed to close the cybersecurity governance gap and to develop a contextual understanding of how a company’s business systems function and interact. There are no ‘check-the-box’ solutions for cybersecurity governance,” says Rod Hackman, RSM cybersecurity risk and board advisor.

Middle market leaders provided a valuable look into their ongoing cybersecurity efforts in a 2023 RSM US Middle Market Business Index first quarter survey. The survey polled 406 senior executives at midsize organizations about their cybersecurity and data privacy challenges, revealing the frequency and severity of attacks and providing details about ongoing threats. The survey research offers a glimpse into how the largest segment of the U.S. economy is implementing controls and strategies to address security threats and combat the tactics of cybercriminals. In almost all cases, research provides specific data for smaller ($10 million to less than $50 million in revenue) and larger ($50 million to $1 billion in revenue) middle market organizations.

According to the MMBI data, 20% of middle market executives claimed their company experienced a data breach within the last year, representing a slight decline from 22% in last year’s survey. Larger middle market organizations were once again more at risk (28%) compared to their smaller counterparts (12%). Still, they showed a small reduction in attacks while those at smaller companies stayed the same.

Consistent with the decline in reported attacks, the number of executives anticipating unauthorized users attempting to access data or systems in 2023 eased to 68% from 72% last year. However, that is still a large number, and companies appear to recognize the need to invest in more cybersecurity resources. This investment is demonstrated in the MMBI survey data, as 77% of respondents disclosed that they have a dedicated function focused on data security and privacy, a considerable jump from 60% last year.

In addition, the majority of middle market executives understand the importance of carrying a cyber insurance policy. The RSM survey found that 68% of companies have such a policy, up from 61% last year. The data shows that the number of smaller companies that utilize cyber insurance rose slightly while larger companies with policies rose significantly to 70% from 57% in 2022.

Data privacy will likely soon become a priority of many middle market risk strategies, with state-level laws going into effect in California, Colorado, Connecticut, Iowa, Utah and Virginia and the scope of many others coming into focus. The basis of these laws is to specify who should collect and possess sensitive data and how to store it. Simply put, companies no longer need to just detail how information from customers and users is stored, but why they need that data in the first place. The inspiration for these U.S. laws is the European Union’s General Data Protection Regulation, a landmark piece of legislation that took effect in 2018 and served as a blueprint for other data privacy standards worldwide.

The MMBI research shows that data privacy is on the radar of most middle market companies, with 57% of executives disclosing they are familiar with the requirements of the GDPR, a slight decline from 2022. However, 96% of respondents report that preparing for emerging privacy legislation or regulations is at least a priority of minor importance, the same amount found in last year’s survey.

The cybersecurity environment is expected to remain volatile for middle market companies, with current threats projected to continue and new threats periodically emerging at the hands of skilled criminals. Benchmarking opportunities and perspectives from peers are critical tools to fight back against threats and develop effective cybersecurity strategies. To that end, RSM has developed this report to provide relevant middle market cybersecurity insights and data privacy trends, as well as to outline tactics organizations can utilize to strengthen security and privacy programs.

While geopolitical conflicts and the uncertain economy have created significant challenges in the middle market, the COVID-19 pandemic resulted in a seismic shift in the entire business environment, with aftereffects still being felt today. But with those dramatic changes, middle market companies have also made strategic process changes that show how seriously they are taking cybersecurity.

Changes during the pandemic are still felt today

When the pandemic initially struck, many companies rapidly transitioned to a remote work strategy, upending the traditional office environment and requiring new technology investments ranging from productivity software to more extensive cloud storage.

“Even organizations that could never fathom the idea of having remote servers and cloud systems had to make it work because their workforce was all remote,” said Tauseef Ghazi, RSM principal and national leader of security and privacy services. “The biggest amount of digital transformation that you could have imagined in the middle market has taken place because of COVID-19.”

Driven by the pandemic, organizations have relied more heavily on technology over the last three years. And with this transition, they have been forced to become more tech savvy. In 2020, year one of the pandemic, middle market companies were scrambling to find and implement solutions. In year two, companies were working through their new environments and making adjustments where necessary. Now, in year three, everything is up and running, and it’s a new way of running the business.

“Over the last three years, organizations have become more digital—the market has forced them to,” commented Ghazi. “Regardless of whether it is a manufacturing, hospitality or automotive company, they are all becoming digital companies. In a lot of ways, they all now resemble tech firms.”

Cybersecurity investments are following in the footsteps of tech advances

With the increasing digital shift, companies moved more infrastructure out to the internet and the cloud; at first, more compromises initially took place because it was low-hanging fruit for criminals. However, as digital strategies have evolved, cybersecurity strategies have also advanced.

For example, the MMBI survey found a sharp increase in the number of middle market companies with a dedicated function focused on security and privacy, as well as significant increases in the number of people responsible for data security and privacy reporting directly to the CEO. These transformational adjustments show that middle market companies understand the importance of cybersecurity as an ongoing effort, not just as challenges arise.

Ghazi describes the correlation between increased digital investments and strategic changes. “Now that you’ve made these digital investments and put your crown jewels on display, you want to make sure you’re also making the necessary investments to protect them.”

Staffing and structural challenges ahead?

However, middle market companies will need to keep an eye on the evolving talent environment. With a growing emphasis on more digital investments across the business world, keeping up with necessary staffing has led to the need for increased investment. The demand for experienced IT resources to manage and protect proprietary information has created a more dynamic IT workforce and has pushed costs up.

In a difficult labor market with unemployment hovering around 3.5% and with a cybersecurity presence now a critical element of doing business, middle market companies generally have two choices for structuring their cyber functions: They can develop in-house talent and procure the tools and technology necessary to support it, or they can leverage a vendor or outside advisor for a managed security services approach. In some cases, a hybrid strategy, with elements of both tactics, may also be appropriate.

In addition, as middle market companies continue to develop digitally, the tasks necessary from a cybersecurity resource perspective will become more complex. For example, companies are starting to utilize hybrid cloud environments that require more attention; and identity and access management will become more critical as users need different levels of access to the growing numbers of solutions and platforms necessary to support the IT environment.

This growing complexity should compel boards to become more involved in understanding the digital systems they govern and invest more time with management to convert complex jargon into the language of business.

The cybersecurity environment will continue to be more challenging as the business world becomes more digital and talent becomes more costly. But as the last three years have shown, the segment is willing to adapt and make investments where necessary.

As each year passes, the cybersecurity environment becomes seemingly more complex for middle market organizations. Companies still contend with the effects of the COVID-19 pandemic and managing various workforce strategies. At the same time, the Russia-Ukraine war and other global issues create a ripple effect of risks at home. As the year has progressed, an uncertain economy has added further complexity to the business environment.

In addition to creating everyday business challenges, these issues have contributed to a landscape where new vulnerabilities can emerge as companies shift resources to keep the business healthy. And while criminals have always been opportunistic, they are consistently changing attack methods and taking advantage of technology to make more of an impact, concurrent with technology improvement taking place at more legitimate businesses.

“Many activities have gotten pretty sophisticated, and there is not always a human behind attacks,” said Ghazi. “Many programs now are automated and running constantly in search of security gaps to exploit.”

The RSM MMBI survey shows that breach risks remain elevated, but the number of reported breaches has fallen slightly for the second-straight year as protective strategies continue to evolve. This year, 20% of middle market executives reported experiencing a data breach in the last 12 months, compared to 22% in last year’s survey. Despite the slight decline in reported breaches, the amount is still twice as high as it was just seven years ago.

Experienced data breach in last year

^{(Click below to explore the results.)}

The number of executives at smaller middle market companies that reported a breach remained consistent with last year’s data (12%), while larger organizations reported a decline in breaches (30% in 2022 to 28% this year).

Consistent with fewer reported breaches, the number of middle market executives who expect a breach attempt in the coming year also fell slightly. In this year’s survey, 68% of participants indicated that unauthorized users are somewhat likely or very likely to access data or systems, down from 72% last year but still up from 64% in 2021 and 55% in 2020.

Once again, confidence in cybersecurity strategies is very high in the middle market. For the second-straight year, 96% of respondents were confident in their current measures to safeguard data, matching last year’s record high.

Ghazi attributes some of the high confidence to the increase in cloud adoption. “Companies have gotten more confident as they have started moving to the cloud,” he said. “But that can create a false sense of security, depending on your strategy.”

Another reason for increased confidence is an apparent shift in strategy to invest in more cybersecurity resources. The number of executives who reported a dedicated function focused on security and privacy increased significantly to 77% this year, up from 60% in last year’s survey.

In addition, many middle market companies appear to have changed their reporting structure in the last year. In this year’s survey, 40% of executives report that the person most responsible for data security and privacy reports directly to the CEO, an increase from 25% last year. That number actually fell slightly at smaller middle market companies (38% in 2022 to 33% in 2023), while it rose significantly at larger organizations this year (16% to 43%).

The rise in investments is further emphasized by the number of middle market executives who reported purchasing new or upgraded hardware in response to publicized data security breaches. This past year, 56% of companies said they implemented new hardware, compared to 40% last year. The increase is even more pronounced at larger middle market companies, with 63% making new hardware purchases in contrast to 36% in 2022.

Even as cybersecurity risks continue to expand and evolve, it’s clear that middle market companies are making a concerted effort to address emerging issues and protect critical information and assets. While the incremental decline in breaches is good news, companies must remain aware of the persistent threat environment around them and adjust strategies, controls and investments to align with risks and overall business objectives.

The cyber insurance landscape has undergone many significant changes in recent years, as insurance companies have imposed more restrictions on qualifications and coverages after dealing with more and more expensive breaches. Cyber insurance is still a valuable element of a comprehensive cybersecurity strategy for middle market companies. But as always, companies need to make sure a policy makes sense, with the appropriate coverages for their needs.

A well-defined cyber insurance policy can help organizations recover quickly from a breach. With the high number of events in recent years, if a middle market company has not had to use cyber insurance themselves, they likely know of a peer that has leveraged a policy to help relieve some of the harm in the wake of a breach. However, companies must understand how the insurance landscape has changed and the alterations in the policy limits and the extent of available coverages.

The RSM MMBI survey found that 68% of respondents currently utilize a cyber insurance policy to protect against internet-based risks, increasing from 61% in last year’s report. A closer look at the data shows that the number of smaller middle market companies with cyber insurance increased to 67% from 65% in 2022, while larger companies that reported carrying a policy jumped significantly to 70% this year from 57% in 2022.

Given the current risk landscape, it’s not surprising that most middle market companies have seen rising cyber insurance costs. In this year’s survey, 70% of respondents reported increased policy premiums, up slightly from the 67% who reported increases in 2022. Consistent with last year, only 2% saw a decrease in premiums.

“A big change in premiums occurred over the last year,” said Franko. “But we are now starting to see the market begin to level out.”

Nearly half of middle market executives (49%) reported an increase in covered risks, compared to 52% in last year’s report. The increase is much more significant for larger middle market companies, with 62% seeing more extensive coverage, compared to 33% of smaller organizations.

Cyber insurance policies are generally fairly modular, with several coverage options that can be combined to meet a company’s specific needs. The most popular coverages reported this year were data destruction (65%), hacking (62%), business interruption (56%) and failure to safeguard data (55%).

However, the RSM MMBI data shows a large drop in coverage for extortion (including ransomware attacks), with 51% of executives carrying coverage compared to 64% in 2022. Similarly, 50% of organizations report coverage for theft, compared to 62% in last year’s data.

“Some carriers are simply removing ransomware from available coverage,” commented Franko. “Insurance companies were suffering big losses, so some decided that they just were not going to cover it anymore.”

With some changes in policy terms and coverages, fewer middle market executives reported being familiar with what their policies cover. Among middle market companies that carry cyber insurance policies, 62% of executives reported they are familiar with their coverage, a decrease from 67% last year. Awareness of coverage for larger middle market companies rose to 84% from 80% last year, while smaller company awareness decreased sharply to 36% from 53%.

“It’s critically important to have a holistic picture of what is and is not covered, not just in your cyber liability insurance, but across all of your insurance platforms,” said Franko. “There can be some crossover—some things might be covered twice, or things may not be covered in your cyber liability insurance but covered by another policy.”

Franko outlined a strategy for leveraging cyber insurance. “You have to understand what your risk is, what your risk thresholds are, what you are willing to pay money to mitigate and what you’re willing to accept, and then transfer the rest to an insurer,” he said. “A company should not just blindly go out and get insurance. That’s a good way to overspend.”

Consistent with previous years, ransomware remains the primary cybersecurity threat to middle market companies, with attacks resulting in several layers of harmful consequences. Ransomware has grown in popularity among threat actors, as it represents a low-risk, high-reward opportunity to generate revenue by taking control of a company’s systems or sensitive data.

The threat has escalated in recent years, with ransomware attacks becoming even easier to launch as threat actors have taken advantage of evolving technology. For example, ransomware-as-a-service applications are now available to would-be threat actors lacking technical skills. They rely on the capabilities of the software developer.

Ransomware threats encompass more than just simple breaches. Attackers who find their way into a victim’s systems or servers can essentially hold a business hostage, demanding a payout to restore systems to working order. But that is often just the tip of the iceberg, as attackers have become even more relentless, and incidents have become even more complex.

“It’s not just the ransom,” said Sean Renshaw, RSM senior director. “It’s also the reputational risk, especially if the attacker starts calling your customers or clients and telling them that their data was stolen, as we have seen recently.”

Renshaw further explained how ransomware attacks can result in significant costs beyond the potential ransom payment. “Over the past few years, there’s been a significant increase in business interruption costs. Companies are essentially out of business, unable to ship products or send out invoices to get paid. The cost of recovery has started to trend upward as well.”

In the past, many companies relied heavily on cyber insurance to alleviate the effects of ransomware attacks, but some insurance providers have reduced or even eliminated coverage for ransomware.

“We see a lot of companies use their insurance policies as their safety net,” said Renshaw. “But I think that is going to become less and less of a safety net as time goes by.”

In this year’s RSM MMBI data, 35% of middle market executives disclosed that they experienced a ransomware attack or demand, up from 23% last year. Larger middle market companies reported a sizable increase, with 54% indicating an attack or demand this year compared to 29% in last year’s report. At the same time, smaller organizations saw a slight decline in incidents to 13% from 16% last year.

Experienced a ransomware attack or demand during the last 12 months

^{(Click below to explore the results.)}

The number of respondents in the MMBI research who know a peer whose company suffered a ransomware attack also increased compared to recent years. In this year’s survey, 45% reported that they know someone whose firm has been the target of an attack, compared to 41% last year and 42% in 2021.

Middle market executives understand that ransomware will continue to be a significant threat. The number of MMBI survey respondents who believe they are at risk for a ransomware attack in the next 12 months stayed fairly consistent—63% compared to 62% a year ago. Seventy-nine percent of respondents from larger middle market companies feel they are at risk for a potential attack this year, compared to 46% of smaller companies.

While the RSM MMBI data showed an increase in reported attacks, many metrics indicate that ransomware attacks actually declined over the past year. For example, a recent SonicWall report showed a 48% drop in ransomware volume in the United States in 2022.

The decreases shown in other surveys are due to various factors, including sanctions imposed on organizations paying a ransom and enhanced cybersecurity measures implemented by companies. In addition, the Russia-Ukraine war has diverted the traditional threat actors’ attention away from ransomware attacks as they wage a cyber battle with each other. In addition, the war has led to increased oversight of financial institutions in Eastern Europe and the freezing of assets, disrupting many networks that previously transmitted ransomware assets.

“Ultimately, that’s where most of the money is traditionally moving,” said Ghazi. “At some point, the Bitcoin has to be transformed into real cash, and that happens at home.”

Renshaw has an explanation for the possible discrepancy between the increase in reported ransomware attacks in RSM’s data and reports of decreased incidents elsewhere.

The ransomware environment will continue to be complicated and very dangerous. Even if attacks are dropping because of the disruption of European financial networks, threat actors will eventually shift to other countries or attackers in other locales will step in to pick up the pieces. Companies recognize that the likelihood of experiencing a ransomware demand or attack is high—how they respond by identifying and containing these incidents will be critical moving forward.

Business takeover threats are among the most persistent and pervasive cybersecurity attacks on middle market companies. The attacks can be straightforward, taking the form of social engineering and employee manipulation, but their low-tech nature means they can be hard to detect. Similar to ransomware, business takeover threats require very little effort or technical skill to launch but can be very harmful to a potential victim.

With social engineering, an attacker will contact an employee directly—by phone, by email or even in person—and try to convince that person to divulge sensitive information or allow access to systems. The attacker may pose as a coworker or trusted third party to give a false sense of security. Many takeover criminals are extremely skilled in identifying and exploiting potential security awareness gaps.

However, the most common business takeover strategy is phishing. Using publicly available information, often from website profiles or social media accounts, attackers create a messaging profile that mimics a friend or coworker. While many of these attacks were, and still are, fairly crude—with easily identifiable red flags—some are increasing in complexity.

The reported frequency of business takeover attempts increased significantly in this year’s data, with 58% of middle market executives indicating that outside parties attempted to manipulate employees by pretending to be trusted third parties or company executives, compared to 45% last year. Executives at smaller middle market companies reported a small increase in attacks to 53% this year from 51% in 2022, while larger companies indicated a sharp jump in incidents to 63% from 40%.

An increase in successful business takeover attempts is a concerning trend in the middle market. Executives in the RSM survey reported that 48% of attempts to manipulate employees were successful over the last year, a considerable increase from 27% in 2022’s data. Larger middle market organizations showed the largest increase, reporting a 68% success rate for attacks, compared to 38% just last year. Smaller middle market companies exhibited a small increase this year—21% from 15%.

“Employees being manipulated has increased given the diverse attack vectors that hackers can use, from the phone (vishing), email (phishing) and even text messages (smishing),” commented Ken Stasiak, RSM principal and national cyber testing and response leader.

Understandably, middle market executives believe business takeover attempts will continue to be a threat. In the MMBI study, 76% of executives said their organization is at risk of an attack by manipulating employees in the next 12 months, the highest number yet recorded in the survey and a slight increase over last year. The number of smaller organizations expecting an attack remained consistent from last year at 68%, while executives from larger organizations who believe a takeover attempt is likely increased slightly to 84%.

With the potential for a business takeover attack to be launched by anybody, companies need to employ various strategies to discourage them. Of the organizations in RSM’s survey that had unsuccessful attacks, 80% listed employees not acting on the fraudulent request as a reason for the failed breach, a 4% increase from last year’s survey. In addition, 63% of middle market executives said that secondary controls prevented the completion of an attack, and 55% acknowledged system controls prevented the delivery of fraudulent communications or materials to employees.

Ultimately, training is the most effective defense against business takeover attacks, providing employees with real-life examples of how criminals commonly attempt to manipulate them. Most middle market companies understand the value of training, with 89% of executives reporting that their organization provides training to at least some employees on detecting, identifying and preventing attempts to gain unauthorized access, consistent with last year’s data. Larger middle market companies appear to offer training to more employees, with 97% providing training to some or all employees, compared to 81% of smaller counterparts.

With the low level of expertise necessary, the amount of exploitable information at the disposal of attackers and constant technological advances, business takeover threats will continue to be a primary threat to middle market organizations. While companies appear to understand the threat, attack methods will continue improving, and training strategies and controls must advance in response.