Persistent cybersecurity threats require a new look at protective strategies

Special Report: Cybersecurity 2024

May 30, 2024
Cybersecurity 2024
#
Economics Cybersecurity

A deep analysis of emerging cyberthreats and how to build cyber resilience

Developing a comprehensive cybersecurity approach is a strategic imperative in the middle market, as companies seek to outmaneuver cybercriminals in an ever-evolving digital ecosystem that increases attack risks. Today, the question is not whether an attack will happen but rather when and at what intensity.

The cybersecurity challenge is relentless, as reported breaches in the middle market have tied a record high in new RSM research. According to findings in the Q1 2024 RSM US Middle Market Business Index survey, 28% of middle market executives surveyed said their organizations experienced a data breach in the previous year, rising from 20% in 2023 and matching record results from the 2021 RSM survey.

While all middle market companies are at risk, smaller organizations face more of an uphill battle against cyberthreats, with fewer dedicated internal security personnel and less budget flexibility. In the MMBI survey, 61% of respondents said their companies have two or fewer data security and privacy employees. However, 34% of smaller middle market companies have none, with 27% of those respondents leveraging external providers to fill those critical gaps.

A few of the report’s key findings:

28%

of middle market executives reported suffering a data breach in the previous year, tying a record high in RSM’s research.

61%

of respondents have two or fewer dedicated data security and privacy employees and 34% of smaller middle market companies have none.

37%

of executives plan to increase the proportion of their organization’s revenue devoted to cybersecurity in the coming year.

11%

of respondents said password use is outmoded, representing a crucial opportunity for improved security.


The MMBI survey aggregated the responses of 403 senior executives across a range of middle market companies within varied industries. It was conducted by The Harris Poll for RSM from Jan. 8 to Feb. 16, 2024.

This special report on cybersecurity from the RSM US Middle Market Business Index provides insights into cybersecurity trends, strategies and concerns shaping the marketplace for midsize businesses in an increasingly complex risk environment.



Executive summary

Rising breaches reveal ongoing cybersecurity challenges in the middle market

Key takeaways

  1. Reported cybersecurity breaches in the middle market have tied a record high in RSM’s research.
  2. Reasons include complacency and emerging technology such as AI.
  3. Smaller firms lag in budgets and staffing, as well as in leveraging technology to address threats.

Cybersecurity remains a critical concern for middle market businesses. According to RSM data, reported breaches over a recent one-year period matched a high seen only once before in nine years of data collection by the firm. The threat environment is more challenging now as generative AI and other new technologies increase risk, placing an enterprise emphasis on well-maintained protective strategies.

Twenty-eight percent of middle market executives surveyed in the Q1 RSM US Middle Market Business Index survey said their organizations experienced a data breach in the last year, rising from 20% in the 2023 survey and matching 2021 results. Increases were seen across the board, as breaches at smaller middle market companies rose to 20% from 12% a year ago, and those at their larger counterparts were up to 37%, compared to 28%.

Even as breaches were up, 95% of survey respondents are confident in their current security measures. This year’s survey also saw a record-high number of companies that carry a cyber insurance policy (76%) and respondents that made a move to the cloud due to security concerns (55%). But while 37% of executives said cybersecurity will get an increasing share of the organization’s revenue, 61% of middle market decision-makers have two or fewer dedicated data security or privacy employees.

The MMBI survey, conducted online from Jan. 8 to Feb. 16, 2024, on behalf of RSM by The Harris Poll, drew responses from 403 middle market executives across a variety of industries. Survey research provides insights into those at smaller ($10 million to less than $50 million in revenue) and larger ($50 million to $1 billion in revenue) middle market organizations; in many cases large gaps exist between the two groups. The data shows that smaller middle market firms lag their larger counterparts in budgets and staffing, as well as in confidence in implementing, generating value from, and using technology to address threats.

A lot of companies that have never been targeted before are being targeted now.
David Llorens, RSM Principal

RSM risk professionals cite complacency, the rapid adoption of emerging artificial intelligence technology and threats from foreign actors as among the worrisome trends responsible for the recent sharp uptick in cyber incidents.

“In working with clients and customers, there has been a fatigue with cybersecurity,” says Tauseef Ghazi, an RSM principal who leads the firm’s cybersecurity practice. The behavior harks back to the two-year period after the pandemic began, he says, adding: “We are not quite at that point, but we are dangerously close to it.”

Meanwhile, Ghazi notes that breaches are larger, with more widespread and deleterious effects on businesses. “They require a lot of time and effort to recover from,” he says.

Add to this mix AI technology. Broadly lauded for its ability to bolster innovation and wring efficiencies from mundane processes, AI has also become a tool in cybercriminals’ arsenal. When put to ill use, the technology’s algorithms can make short work of illegal sleuthing that leads to attacks, he says.

“AI is not only available to the good guys—it’s available to the bad guys as well,” Ghazi says. “What they could do in an hour before, they can do in seconds now.”

Middle market insight

In the past it has always been the large corporations that hackers have gone after. Now they’re going after the medium and smaller-size companies.
Executive, consumer products

RSM Principal David Llorens emphasizes how cybersecurity threats continue to expand. “A lot of companies that have never been targeted before are being targeted now,” he says. “And many of the cyber events that we see are from threat actors that sit in countries not friendly with the U.S.”

At the end of the day, most attacks are based on opportunity. Hackers are relentless and will work to find vulnerabilities to exploit within a company’s network, an entire industry or a broader ecosystem, says Matt Franko, an RSM principal.

“Hackers are like water,” Franko says. “They will flow to where they think they can get money, just like any other business.”

The unpredictability of potential attacks and the broad range of threats to sensitive data and intellectual property require companies to remain ever vigilant. Attacks are occurring more often and becoming more expensive, and they can be very harmful or even fatal for companies with tight profit margins. Any disruption in operations has a direct impact on profitability; the longer an issue persists, the more difficult recovery becomes.

Explore cybersecurity trends by industry

No matter the industry, cybersecurity is a critical consideration for ongoing success.

Companies must ensure that controls are up to date and protective measures are leveraged to take a proactive stance in the ongoing battle against cybercrime. They must improve their cybersecurity program and strategy, focusing on:

  • Asset management
  • Digital identity
  • Data governance and security
  • Third-party risk management
  • 24/7 detection and response (often supported by managed security services)
  • Regulatory and compliance requirements (typically using a governance, risk and compliance tool)
  • Risk-based operational resilience

Breaches trend lower in UK as cybersecurity investment rises

Unlike in the United States, where cyber breaches tied an all-time high for middle market companies in the past year, attacks are trending lower in the UK over the same time period. Twenty-one percent of executives in the Q1 UK MMBI survey indicated their business had experienced a breach, down from 27% two years earlier.

88%

said their business increased cybersecurity investment in the past year, up from just over half (52%) in the first quarter of 2022.

94%

said their organization was somewhat prepared or very prepared for a cyberattack.

50%

have plans in place to tackle impending cyber regulation such as NIS2.

*RSM UK conducted a separate survey that polled 408 respondents from Jan. 8 to March 7, 2024.

Cyber budgets are on the rise for many companies

As risks evolve, staffing strategies may also require attention

Key takeaways

  1. More than a third of middle market managers reported increasing the amount of revenue dedicated to cybersecurity in the coming year.
  2. More than 60% of executives have two or fewer internal security and privacy employees.
  3. Budgets most often reside under the chief technology officer or chief information security officer.

Cybersecurity events can result in significant financial repercussions, reputational harm and operational chaos, making it imperative that middle market companies allocate sufficient budget and staff to effectively address threats. While the RSM MMBI data finds that many organizations are increasing budgets, concerns over staffing and how funds are allocated could limit the effectiveness of cybersecurity efforts.

Survey data shows that 37% of the middle market executives overall will increase the proportion of their organization’s revenue devoted to cybersecurity in the upcoming year. But more funding may be necessary to address the cybersecurity threat at smaller organizations, as just 29% of managers from smaller companies planned to increase the amount of revenue dedicated to cybersecurity, compared to nearly half of larger middle market companies (48%).

Spending more does not necessarily ensure an effective strategy, RSM Principal Matt Franko cautions. “During COVID, many companies bought a lot of tools, and many of those had overlapping and redundant uses,” he says, adding that many companies are still seen as tool heavy right now, but may lack the right people and processes in place to take advantage of those investments.

Technology has advanced so much and become essential to every area of the business. But in many cases, the internal skill set is not growing to match new technology.
Tauseef Ghazi, RSM Principal

Budgetary control is an important element in how a cybersecurity strategy is built. Companies emphasize cybersecurity in different ways in the middle market, and therefore, internal funding sources for the function can vary greatly.

The MMBI survey showed cybersecurity was most commonly located under the chief technology officer (51%) or the chief information security officer (42%), according to respondents whose companies had a dedicated function focused on data security and privacy. The report also showed that 34% of companies had cybersecurity budgets under the chief financial officer and 32% residing under the chief executive officer.

“Cybersecurity needs to have a dedicated budget because it’s a risk management function and oftentimes gets sacrificed over other priorities,” says Franko, who favors alignment under the CFO. “You only have so much money to spend, and you have to determine whether you are going to spend it to make money or protect yourself from losing money.”

From a staffing perspective, more than 60% of respondents have two or fewer data security and privacy employees. Not surprisingly, larger middle market organizations have more dedicated internal staff; 40% of those respondents have four individuals or more. Meanwhile, 27% of smaller middle market companies—the largest response in that subset—cited no internal personnel, but instead leverage external providers for data security. Another 7% of smaller middle market companies have no internal personnel and either are considering creating a dedicated function (3%) or are not considering creating a dedicated function (4%).

Within many companies, the question isn’t always about the number of people, but whether they are the right people for the job. In the last decade, companies have become much more dependent on technology, but IT departments may not have kept up with the change.

“Even if products and services are not tech-focused, technology is the highway the business runs on,” says RSM Principal David Llorens. “The moment you block that highway, the business is crippled. You then cannot trust data and you cannot effectively work with clients and customers because everything is interlinked.”

In more recent years, COVID-19 disrupted companies and pushed them to transition to a remote workforce, decentralizing control and effectively creating a larger attack surface.

Middle market insight

To set up the infrastructure, to catch it before it starts doing damage, is pretty much cost prohibitive. The cost is in the five figures a month to keep it from happening.
Executive, consumer products

“Companies adopted cloud and software-as-a-service strategies, but they have the same IT team,” Llorens says. “They may not understand how the data flows after having adopted the new technology.”

RSM Principal Tauseef Ghazi has observed skill gaps in internal IT departments. “Technology has advanced so much and become essential to every area of the business,” he says. “But in many cases, the internal skill set is not growing to match new technology.”

Meanwhile, in a competitive environment for skilled workers, cybersecurity personnel are difficult to hire and retain, a major factor Llorens cites when advocating for under-resourced companies to consider managed services strategies and other external support.

“There often is a knowledge gap where IT may not understand how to protect their environment—this is the direct value vendors and managed services firms can provide,” he says.

Are you confident in your overall cybersecurity approach?

Learn how to better identify security risks, incorporate security into your business processes and make more informed business and risk decisions.

Executives are confident in cybersecurity measures

Despite optimism, resource gaps and a lack of optimization can limit effectiveness

Key takeaways

  1. Confidence in current cybersecurity strategies remains high (95%).
  2. 76% of middle market managers carry a cyber insurance policy and 75% of those are familiar with their coverage.
  3. Large gaps exist between how small and large firms leverage technology to address threats.

Most middle market businesses appear to be taking risks seriously. While the strength and scope of cybersecurity strategies are steadily progressing, some vulnerabilities and opportunities remain.

Despite the rise in reported cyberattacks in the MMBI data, the number of respondents confident in their existing strategies remains high. In fact, 95% of middle market executives reported they are either very confident or somewhat confident in current measures to safeguard data, tracking closely to the 96% in both the 2022 and 2023 data.

RSM Principal Tauseef Ghazi asserts that complacency may be a factor in that confidence, fueled in part by a false sense of security from having more information about incidents at executives’ disposal. “It’s not that breaches have gone away,” he says. “They have just become part of life, and often, someone else is taking care of them. Also, in the last year or so, when some people got compromised, they thought, ‘OK, we are fine, we will be back up and running in five days.’ But some organizations weren't fine.”

Responding to a breach can be expensive and labor intensive, and cyber insurance is one of the most popular measures organizations employ to protect themselves. Many policies have undergone significant changes in recent years, as insurers responded to rising costs by increasing premiums, reducing coverage limits and requiring certain cybersecurity measures by organizations before issuing policies. Even after these changes, cyber insurance is still one of the most effective tools companies have.

“Cyber insurance carriers almost act as a governing body by requiring certain controls,” says RSM Principal Matt Franko. “Companies need to make sure they are covered because nobody wants to get hit with an attack that costs them more money than necessary.”

He adds: “That would be a tough thing to tell the board or shareholders—that we just didn’t have the coverage because we didn’t implement the necessary controls.”

Cyber insurance use is trending up in the middle market, as more than three-quarters of respondents in the MMBI survey (76%) indicated they carry a policy. This represents a significant increase from 68% in last year's survey, and an even bigger jump from 61% just two years ago. Eighty-three percent of larger middle market companies reported having an active policy, up from 70% last year, while use in smaller middle market companies lagged slightly, rising to 72% from 67% in 2023.

Perhaps most importantly, understanding of coverage is increasing. Seventy-five percent of survey respondents carrying a policy indicated they are familiar with their policy, up from 62% last year. In fact, 52% of companies said they are very familiar with their coverage, a surge from just 22% in 2023.

“Each year the policies change,” says Daniel Gabriel, a principal at RSM, noting the resulting confusion. “So, the biggest thing, especially for middle market organizations, is understanding the limitations and expectations of policies. Many people buying cyber insurance may not completely understand their policy and what the implications are, and they may be losing coverage every year.”

Cyber insurance carriers almost act as a governing body by requiring certain controls. Companies need to make sure they are covered because nobody wants to get hit with an attack that costs them more money than necessary.
Matt Franko, RSM Principal

Turning to preventive technologies, MMBI survey respondents had varying opinions on how cybersecurity tools are deployed within their organizations. Eighty-six percent of middle market executives rated their use of technology as excellent or good, while 82% said the same about their technology implementation, and 74% shared that sentiment about the value their tools generate.

However, significant gaps in confidence over tools exist between larger and smaller middle market organizations. Ninety-four percent of respondents at larger middle market firms said their use of technology to prevent or minimize threats is excellent or good, compared to 79% at smaller organizations. This disparity was even wider when the survey tracked positive feelings about implementing technology (93% vs. 73%) and generating value from technology (88% vs. 60%).

“Many tools are excellent, but they are often not optimized,” says Ghazi. “To be truly effective, tools must be tailored for a company’s environment, data, and the types of alerts and preferences they require. For example, if an advanced governance, risk and compliance (GRC) tool does not have effective workflows built in, it will not operate as intended.”

Whatever their size, companies need to focus on the effective implementation and operation of technology solutions, especially as options such as GRC tools gain traction as a valuable defense against cybercriminals. Several emerging solutions can automate GRC efforts, bringing more consistency, efficiency and insight to the process.

The need to maximize investment in modern, effective security tools is another factor leading companies to consider managed security services strategies for their cyber defenses, especially in the lower middle market.

“The cost of tools is hedged across multiple clients in many cases, making a higher level of protection much more affordable,” says Ghazi. “Benefits also emerge with personnel costs, because an analyst can monitor 20 clients at the same time with advanced automation, rather than a company hiring one person to manually monitor their environment.”

Related insight

Are you confident in your cybersecurity program?

Every organization is facing an elevated level of cybersecurity risks, with threats evolving on a frequent basis. If you don’t know where you stand, RSM’s cybersecurity Rapid Assessment can provide the insight and detail that you need.

Digital identity measures in the spotlight

The security perimeter is expanding—identity strategies must shift accordingly

Key takeaways

  1. Strategies must constantly evolve, especially as digital identity becomes more complex.
  2. Providing access as needed is the most popular identity strategy, but may present challenges.
  3. Only 11% of respondents said password use is outmoded, representing a major opportunity for improved security.

The network no longer represents the security perimeter; instead, identity is the new perimeter. As customers, employees and service providers engage more often with companies’ digital systems and hackers constantly try to break in, controlling information access is critical. The concept of digital identity helps organizations build profiles of characteristics of employees, customers, third-party users, programs and organizations to determine what, if any, access they should have.

An effective digital identity strategy must constantly evolve as new users and groups require access and some existing users no longer do, and as new strategies become available to verify users and their purpose. The right approach can protect sensitive data and improve the online experience for both customers and employees.

MMBI data indicates that middle market companies are in various stages of their digital journey, with 31% of executives saying their companies provide people with access as needed. In addition, 24% provide single identity solutions such as single sign-on for system access, while another 22% require disparate usernames and passwords.

“By providing access as needed, provisioning and deprovisioning access can be a nightmare,” says RSM Principal Tauseef Ghazi, noting that access privileges must be removed when no longer needed—in effect, provisioning and deprovisioning to ensure users only have access to necessary systems and applications.

“Usually, users aren’t telling you they no longer need access,” he says.

We are definitely seeing a move toward passwordless authentication, especially from those who are focusing on their employee and customer user experience by not having to remember lots of passwords.
Chad Wolcott, RSM Managing Director

RSM Managing Director Chad Wolcott adds that the use of disparate usernames and passwords can result in a more secure environment but comes with a cost: a less seamless user experience.

“In some respects, having disparate usernames and passwords limits or minimizes your threat vectors,” he says. “If someone gets a credential, they can only access that area—versus a single sign-on approach where if someone gets that credential, they have access to everything that person has rights to.”

Authentication measures that don’t require passwords represent the future of data security, tying identity to specific users and/or devices and providing confirmation, typically through text messaging, email or biometrics. Even so, just 11% of executives in the RSM survey said their digital identity journey is this mature, with passwords a thing of the past.

This leaves significant opportunity to improve the user experience in the middle market, where businesses must balance their users’ desire for easier access with their own need for leading-edge security. Fortunately, identity and access management (IAM) strategies can deliver both.

Passwords are inherently vulnerable and can be relatively easily compromised in a number of ways. As threats persist, companies should work toward eliminating passwords from their environment as much as possible and creating a stronger, more user-friendly data security approach.

“We are definitely seeing a move toward passwordless authentication, especially from those who are focusing on their employee and customer user experience by not having to remember lots of passwords,” says Wolcott. “So, you don’t have to maintain the password—instead you may just pick up your phone and look at your face ID to gain access.”

Related insight

Are your systems secure?

As traditional network boundaries become obscured by the growth of cloud, mobile and digital technologies, identity and access have become the new perimeter and a critical security consideration for all companies. Learn how to manage secure access across your systems, devices and teams.

Middle market must resist complacency amid ransomware and third-party risks

Monitoring and response capabilities are critical to counter risks

Key takeaways

  1. Ransomware attacks are holding steady, and remain a significant threat.
  2. 41% of respondents from larger firms experienced at least one attack last year, compared to 21% of smaller firms.
  3. Just over half of executives surveyed reported using governance, risk, and compliance or other tools.

Ransomware remains a widespread concern in the middle market, with attacks that can force specific systems, business units or entire companies to grind to a halt. The repercussions vary, ranging from financial losses and penalties to reputational damage, as well as opportunity costs if some functions become inoperable and a company is compelled to shift resources to recovery efforts.

Thirty percent of middle market executives surveyed in the MMBI reported having at least one ransomware attack or demand in the previous 12 months. This represents a small decrease from 35% in last year’s survey, but a 7% increase from 23% two years ago. Other leading cybersecurity research, including from NetDiligence, indicated consistent or increased ransomware activity in the last year, emphasizing the persistent threat.

With ransomware attacks remaining prominent in the middle market, companies cannot afford to lose focus. Incidents may not be as prevalent in the news cycle as in the past, but that does not make them less harmful.

“Everyone has gotten numb to ransomware,” says RSM Principal Daniel Gabriel. “But as international conflicts subside, it is going to be interesting to see what happens when groups and individuals no longer have that focus. They are going to turn around and start evaluating opportunities in the rest of the world.”

Larger middle market companies are a more popular target for hackers looking to collect ransom, with 41% of executives from those organizations reporting at least one attack or demand in the last year, compared to 21% of respondents at their smaller counterparts. However, that same subset of larger companies actually reported a 13% decrease in ransomware threats compared to last year, while smaller companies saw an 8% increase.

It’s much better to invest in the ability to rapidly detect, respond and recover than it is to protect. It’s more important to get your company back up and running quickly, and then deal with the rest of the chaos.
Daniel Gabriel, RSM Principal

“Larger companies are spending more money on cyber, and monitoring controls have gotten better,” says RSM Principal Tauseef Ghazi. “But this is another connection point to a managed services strategy. It is hard to maintain the necessary monitoring to identify ransomware the minute it hits. You only have seconds, maybe minutes—not hours—to move it to quarantine and contain it.”

For companies that reported at least one attack in the last year, 28% said existing security measures were unsuccessful, 32% said they were partially successful and 40% said they were completely successful. Interestingly, the survey data showed very little difference in the success of ransomware defenses between smaller and larger middle market companies.

“There is really no material difference in the results for the organizations that have much higher spend and higher head count,” says RSM Managing Director Chad Wolcott.

Gabriel suggests that a change in ransomware strategies may be in order. “It’s much better to invest in the ability to rapidly detect, respond and recover than it is to protect,” he says. “It’s more important to get your company back up and running quickly, and then deal with the rest of the chaos. By resuming operations and making money again, you can at least pay for the chaos. But the pivot to that mentality hasn’t fully occurred, especially in the middle market.”

Middle market insight

Every day, multiple times a day, we get phishing emails. It’s a constant reminder for us to stay vigilant about where emails come from and to not click on anything—just delete, delete, delete.
Executive, construction company

Many ransomware attacks are the result of vulnerabilities within third-party risk strategies. RSM survey data shows opportunities for middle market companies to improve those controls. For example, almost two-thirds of respondents (64%) regularly evaluate the cybersecurity controls of third parties and nearly 3 in 5 (58%) include service-level agreements and other data and security controls in contractual agreements.

In addition, just over half (53%) of the survey respondents use a governance, risk and compliance (GRC) or other tool to manage third-party risk management, half include critical third parties in business continuity and disaster recovery planning, and only 39% maintain a vendor inventory with vendors classified in accordance with a defined risk matrix. Implementing any—or a combination—of these strategies can mark a significant step toward mitigating potentially harmful third-party risks.

Related insight

How proven is your process?

As business processes become more complex, companies often rely on specialized contractors and third-party service providers to focus on core activities. However, this practice comes with a certain level of risk. Learn how to address the introduction of various levels of vendor risks.

Challenges and opportunities in the complex data security and regulatory environment

Companies must keep an eye on operations as new standards emerge

Key takeaways

  1. U.S.-based companies face a complex patchwork of data privacy regulations.
  2. 90% of executives cited preparing for emerging privacy legislation as an important priority.
  3. 65% of respondents are familiar with Cybersecurity Maturity Model Certification regulations.

Since the European Union introduced its General Data Protection Regulation (GDPR) in 2016, several subsequent industry and state-specific data privacy standards have shaped how organizations collect, store and share personal information. There is currently no federal data privacy standard in the United States; instead, organizations operating across multiple states must contend with a patchwork of varying regulations.

That patchwork consists of regulations in 15 individual states; in 17 other states, privacy regulations are at various stages in the legislative process. RSM Director Laura Gomez-Martin sees both positives and negatives to the assortment of state-level privacy laws.

“The good thing is that most of these regulations have common principles and a lot of the same general language,” she says. “However, there are some nuances. For example, your company might be big enough to qualify as an entity that needs to comply with a law in one state, but not big enough under another state’s law. Domestically, companies really need to understand their operational footprint—where they sell their goods and services and where employees are based.”

Of course, companies with international operations must comply with security standards, such as the GDPR, where they do business.

“A lot of major countries already have established privacy laws, so we are not seeing as much of an increase in the regulatory landscape internationally,” says Gomez-Martin. “But as companies grow internationally, they still need to take those central factors into account—where they are selling their goods and services, and where employees are based.”

Gomez-Martin also cautions companies about some of the regulations that dictate oversight on data collected and transferred internationally, especially when information moves from one company to another. Many international frameworks require data to stay within certain geographical limits or require contracts to transfer it outside of those limits, she says, adding: “That is a huge concern internationally that may not affect companies that only have domestic operations.”

Domestically, companies really need to understand their operational footprint—where they sell their goods and services and where employees are based.
Laura Gomez-Martin, RSM Director

Amid the challenging regulatory environment, 90% of middle market executives in the MMBI survey cited preparing for emerging privacy legislation as an important priority—but that figure is a 6% drop from last year and the lowest level in survey history. Ninety-six percent of executives at larger middle market companies consider privacy a priority compared to 86% at smaller middle market organizations.

“The drop we see is probably due to not having a new regulation that is driving the focus,” says Charles Barley Jr., a principal at RSM. “But that does not mean those organizations are saying privacy is any less important. They still have the ongoing risk management responsibilities and the expectation to truly protect what we call the digital asset—what makes them ‘them,’ but in an electronic form.”

From a regulatory compliance perspective, the Cybersecurity Maturity Model Certification (CMMC) is a critical standard for U.S. companies that do business with the federal government. In response to the need for enhanced security measures, the U.S. Department of Defense introduced CMMC guidelines to enforce the security expectations that contractors and subcontractors in the defense industrial base are required to meet to protect controlled, unclassified information.

“If you've been a defense contractor since 2016, the Department of Defense already stated its expectations in any contract that you signed,” says Barley. “CMMC is just a vehicle that is placed on top of that requirement to prove through an independent verification arm that you are doing what you already signed up for. It's similar to Sarbanes-Oxley, when CFOs were forced to attest that they built internal controls to support the accuracy of what was shared in the market.”

If organizations reduce CMMC to just a legal compliance activity, they're forgetting the importance of what it was really designed to do. The entire DOD cyber expectation is designed to help all the suppliers protect national security
Charles Barley Jr., RSM Principal

Sixty-five percent of middle market executives surveyed said they are familiar with CMMC regulations. However, 85% of executives at larger middle market companies indicated they were familiar with the emerging standard, compared to just 48% of those at smaller organizations.

The DOD recently proposed a CMMC final rule—known as CMMC 2.0—with enforcement scheduled to begin in early 2025. But companies should not wait to implement new guidelines, as they represent cybersecurity best practices and being prepared will make working with the federal government a smoother process once the standard goes into effect.

“If organizations reduce CMMC to just a legal compliance activity, they're forgetting the importance of what it was really designed to do,” says Barley. “The entire DOD cyber expectation is designed to help all the suppliers protect national security—whether you are a retail company that helps troops have a similar lifestyle if they are at home or abroad protecting our liberties, or a manufacturer that produces the engine or the jet fuel that goes into F-35 fighters.”

Even If companies are not currently working with the U.S. government, becoming a contractor should be a consideration for growth. Federal contracts are very lucrative for many middle market companies, and they represent a consistent source for sales and can open the door to many other potential sales opportunities.

Barley emphasizes the potential benefits of working with government entities. “The federal government will always be there,” he says. “I would never say it’s truly recession-proof, but they always have to find a way to provide services to execute our national security strategy.”

Are your compliance obligations aligned?

Balancing business risk with business needs has become more challenging as organizations face more complex regulations and standards. Learn how to simplify risk and compliance with strategies that align with your overall business goals.

Confidence in the cloud

Companies continue the move off premises for data security

Key takeaways

  1. 55% of middle market companies moved to the cloud as a result of security concerns, a record high in RSM’s research.
  2. 65% of larger organizations moved to the cloud, compared to 45% of smaller companies.
  3. 89% of respondents feel more secure with their data in the cloud.

Momentum to migrate corporate data to the cloud has not slowed, as companies continued to move data and systems off premises to increase cybersecurity protections. While companies still retain ultimate responsibility for data security, cloud providers often have more extensive security capabilities due to their economies of scale.

The MMBI survey data indicates that middle market companies continue to take advantage of the cloud. Cloud migration as a result of security concerns was at its highest level (55%) in MMBI survey history, up from 50% last year. Migration for smaller (45%) organizations also reached its highest level, and the share of larger (65%) organizations that made the move matched last year’s record high.

“Use of the cloud for security purposes is getting normalized, and as it does, companies feel like the tools they are getting are more secure,” says RSM Principal Tauseef Ghazi.

Most importantly, the move to the cloud for security reasons appears to be successful, as 89% of survey respondents said they felt more secure with their data in the cloud. Larger middle market companies appeared particularly confident, with 62% of executives indicating they were much more secure, up 22% from last year’s survey and reaching the highest level ever.

Despite the confidence in the security of cloud-based systems and data, companies still need to be careful to ensure their assets are sufficiently protected, especially after an initial move to the cloud.

Use of the cloud for security purposes is getting normalized, and as it does, companies feel like the tools they are getting are more secure.
Tauseef Ghazi, RSM Principal

“While these established cloud platforms have a ton of security tools and products, by default, none of that is activated,” says RSM Principal Daniel Gabriel. “Organizations struggle with understanding what is already active and what they have to turn on, and that can have cost implications. Companies need to turn on or opt into security options, and they may not understand the details when they first move onto these platforms.”

In addition, even in a cloud environment, companies need to remember that they are still ultimately responsible for the security of their proprietary data.

Is your cloud strategy truly effective?

Learn more about how you can leverage the cloud for more access and enhanced security.

Industry perspectives

Financial services

Financial services

With valuable data, high reliance on technology and new regulatory demands, financial services companies must focus on managing cybersecurity.

RSM contributor

Manufacturing

Manufacturing

As manufacturing companies become more interconnected, strong cybersecurity measures and thorough risk management protocols increase in importance.

RSM contributor

Professional services

Professional services

Professional services firms of all sizes take cybersecurity seriously, but limited resources—especially at smaller firms—can increase vulnerability.

RSM contributor

Real estate and construction

Real estate and construction

With an intricate user network and extensive mobile activity, real estate and construction companies are inherently vulnerable to cyberattacks.

RSM contributor

Retail

Retail    

As cracking of consumer passwords and creation of ghost websites threaten retailers, identity and access management becomes more of a priority.

RSM contributor

Technology

Technology

While concentrating on growth, tech companies must also be mindful of evolving cybersecurity vulnerabilities and emerging regulatory requirements.

RSM contributor

Telecommunications

Telecommunications

Telecommunications companies must focus on secure infrastructure, stringent protocols and vulnerability testing to keep pace with cybersecurity risks.

RSM contributor

Financial services

With valuable data, high reliance on technology and new regulatory demands, financial services companies must focus on managing cybersecurity.

RSM contributor

Manufacturing

As manufacturing companies become more interconnected, strong cybersecurity measures and thorough risk management protocols increase in importance.

RSM contributor

Professional services

Professional services firms of all sizes take cybersecurity seriously, but limited resources—especially at smaller firms—can increase vulnerability.

RSM contributor

Real estate and construction

With an intricate user network and extensive mobile activity, real estate and construction companies are inherently vulnerable to cyberattacks.

RSM contributor

Retail    

As cracking of consumer passwords and creation of ghost websites threaten retailers, identity and access management becomes more of a priority.

RSM contributor

Technology

While concentrating on growth, tech companies must also be mindful of evolving cybersecurity vulnerabilities and emerging regulatory requirements.

RSM contributor

Telecommunications

Telecommunications companies must focus on secure infrastructure, stringent protocols and vulnerability testing to keep pace with cybersecurity risks.

RSM contributor

The takeaway

Cybersecurity attacks are elevated and potential threats loom, leaving middle market companies at substantial risk. Many companies have become complacent about cybersecurity amid fatigue after consistently hearing about risks and attacks for several years. But hackers are persistent and will take advantage of any vulnerabilities or control gaps in an organization’s defenses.

Middle market companies need to evaluate their strategies to resist and respond to attacks and take advantage of opportunities to strengthen their cybersecurity strategy. Potential adjustments include optimizing existing security tools, implementing modern identity access plans and leveraging managed security services to augment internal IT personnel who often can’t keep up with evolving cybersecurity concerns and regulatory demands.

The cybersecurity landscape is complex, and addressing challenges certainly is not easy. But companies must remain vigilant to protect sensitive data and ensure sustainable operations.

Methodology

The RSM US Middle Market Business Index survey data in the first quarter of 2024 was gleaned from a panel of 1,500 executives (the Middle Market Leadership Council) recruited by The Harris Poll using a sample supplied by Dun & Bradstreet. All individuals qualified as full-time, executive-level decision makers working across a broad range of industries (excluding public service administration): nonfinancial or financial services companies with annual revenues of $10 million to $1 billion and financial institutions with assets under management of $250 million to $10 billion.

These panel members are invited to participate in four surveys over the course of a year that include special issue-based question sets, as well as quarterly index-only surveys; the 2024 first-quarter survey was conducted from Jan. 8 to Feb. 16, 2024. Information was collected by phone and online survey from 403 executives, including 163 panel members and a sample of 240 online respondents. Data is weighted by industry.

Archive

Our research has evolved over the years. Take a look back at the data or explore previous trends we identified and how they have shifted, or remained the same, for today's middle market companies and executives.