As threat actors' tactics continually evolve, protective measures must adapt in tandem.
Key takeaways
Scaling tech companies need to prioritize security measures to safeguard assets as they grow.
Assess your data, determine its location and have a rigorous policy in place regarding access.
Cyberthreats continue to loom over companies and organizations. Snatching private data is big business for criminal elements, who use it for ransomware schemes or sell it on the black market.
Technology businesses are especially enticing to cybercriminals given their large collections of consumer and enterprise data and their treasure trove of intellectual property information.
Many middle market technology companies—especially those focused on scaling—may find it challenging to address threats given their strained infrastructures, which often inadequately protect their prized data assets. Because of this, it is critical for businesses to invest in bolstering their cybersecurity practices and resources. Most organizations are already behind on capital expense cybersecurity spending. As a result, there can be a gap between what a business is spending on cybersecurity and what it should be spending; a realignment of the overall budget is often necessary.
According to findings in the Q1 2025 RSM US Middle Market Business Index survey, nearly 1 in 5 middle market companies (18%) experienced a data breach in 2024, falling from a record-high 28% in the previous year’s MMBI data. The decline is certainly positive, but the 2025 results are consistent with data from years preceding that spike. In addition, with methods becoming more sophisticated, some attacks may go undetected, highlighting the importance of continually strengthening controls. Companies need to remain diligent as cyberthreats evolve.
One example of that evolution is the dramatic surge in the use of deepfake technology; “deepfake fraud attempts rose by more than 1,300% in 2024,” according to Pindrop Security, indicating that scams are becoming more sophisticated and harder to detect. This growth raises serious concerns about the authenticity of digital content, prompting many to question what is real in an increasingly manipulated digital landscape.
In addition to combating cyberthreats, businesses are addressing a surge of regulations as more countries and states enact cybersecurity legislation to improve data protection, such as the European Union’s General Data Protection Regulation and the California Consumer Privacy Act. Historically, many companies have been slow to develop compliance processes.
What should tech companies do?
While resources to combat cyberthreats might be limited, a variety of basic blocking and tackling efforts can strengthen data security. Here are five ways technology companies can address cybersecurity issues:
1. Assess your data
Where is your data? Who has access to it? What protections do you have in place? Identifying your key data sets and establishing the location of this information are critical to protecting your information security. It seems fundamental, but especially for tech companies that are scaling quickly—making acquisitions and adding employees and accounts—data placement and access can get murky. Assess your data, determine its type and location, have a rigorous policy in place regarding access, and then monitor that access diligently.
2. Consider cyber insurance
To manage cybercrime repercussions, cyber insurance has become an effective solution, and its use is trending up in the middle market, according to MMBI data. In fact, 82% of survey respondents indicated that they carry a cyber insurance policy, up from 76% the previous year and marking the highest percentage in the history of the report.
However, while the use of cyber insurance is gaining momentum, some executives do not have a full understanding of their coverage. Companies must understand their policies to ensure exposures are addressed. Periodic evaluation of the insurance policy is also needed to account for evolving risks.
3. Train your people
When RSM works with clients on their cybersecurity vulnerability, we frequently conduct penetration testing, including social engineering, to understand where exposures might occur. The majority of the time we uncover weak passwords that are easy to crack. We also find that social engineering efforts can be effective at tricking users into clicking on links. Much of this careless user behavior can be addressed with improved user training and oversight, in which unacceptable practices are challenged and appropriate behaviors are incentivized.
4. Move to the cloud
As tech companies grow, they can lose control of their data and fail to understand how much information they have and where it resides. Moving organizational data to the cloud can improve efficiency and access and provide greater security. Cloud vendors’ economy of scale enables them to implement more extensive security measures and controls that are not realistic for some middle market companies. In the MMBI data, middle market respondents cited cloud-native tools and practices (31%), hybrid solutions combining on-premises and cloud security (31%), and a cloud provider’s built-in security measures without additional enhancements (26%) as the leading cloud technologies used to enhance cybersecurity efforts.
Moving to a cloud-based platform also requires companies to develop a cloud security architecture that segments the infrastructure to limit the impact if a breach occurs and restricts data access to only those who need it. This helps control possible access to entry points by unwanted intruders.
5. Plan to respond
When a breach occurs, it’s not a good time to blow the dust off your neglected, outdated incident response plan and figure out what to do next. The plan should be a living, evolving strategy, and should be rehearsed every six months, if possible. Roles and responsibilities should be concisely spelled out, and action steps must be comprehensive. Evaluate and revise the plan as needed.
Looking ahead
As threat actors' tactics, techniques and procedures continually evolve amid advances in generative artificial intelligence and ongoing geopolitical tensions, protective measures must adapt and evolve in tandem. Scaling technology companies need to prioritize security measures to safeguard their assets as they grow.
Related insights
RSM Catamaran
RSM’s suite of integrated, outsourced solutions has the power to transform and strategically evolve your finance, IT, risk and HR functions for the future. Through RSM Catamaran, we add value without adding overhead costs, by giving you access to a deep knowledge base and cutting-edge technology.
