The middle market remains a primary target for cybersecurity attacks as the threat environment has evolved over time. In the past year, companies have dealt with a wide range of threats, including ongoing geopolitical risks, an uncertain economy and the lingering effects of the COVID-19 pandemic. Now, more than ever, threats can come from several directions, so companies need to prepare.
As the amount and scope of cybersecurity attacks have increased in recent years, even the breaches at larger organizations that previously made national headlines barely garner public attention. We know that no company is completely immune to a breach, and attackers will work to find the most vulnerable targets for an attack. That often means focusing on smaller and midsized companies that may not have the budget and internal resources of larger organizations.
The positive news is that despite the increasing pressure from various threats, the number of reported breaches is slightly down as organizations generally appear to take cybersecurity challenges more seriously. But despite easing, the number is still elevated, and companies cannot afford to relax. Instead, they must continue to focus on expanding protections and implementing cybersecurity strategies that align with company investments and goals while criminals relentlessly pursue vulnerable systems, data and intellectual property.
“A critical element of any cybersecurity strategy is for boards to authorize investments in organizational, educational and cultural changes needed to close the cybersecurity governance gap and to develop a contextual understanding of how a company’s business systems function and interact. There are no ‘check-the-box’ solutions for cybersecurity governance,” says Rod Hackman, RSM cybersecurity risk and board advisor.
Middle market leaders provided a valuable look into their ongoing cybersecurity efforts in a 2023 RSM US Middle Market Business Index first quarter survey. The survey polled 406 senior executives at midsize organizations about their cybersecurity and data privacy challenges, revealing the frequency and severity of attacks and providing details about ongoing threats. The survey research offers a glimpse into how the largest segment of the U.S. economy is implementing controls and strategies to address security threats and combat the tactics of cybercriminals. In almost all cases, research provides specific data for smaller ($10 million to less than $50 million in revenue) and larger ($50 million to $1 billion in revenue) middle market organizations.
According to the MMBI data, 20% of middle market executives claimed their company experienced a data breach within the last year, representing a slight decline from 22% in last year’s survey. Larger middle market organizations were once again more at risk (28%) compared to their smaller counterparts (12%). Still, they showed a small reduction in attacks while those at smaller companies stayed the same.
Consistent with the decline in reported attacks, the number of executives anticipating unauthorized users attempting to access data or systems in 2023 eased to 68% from 72% last year. However, that is still a large number, and companies appear to recognize the need to invest in more cybersecurity resources. This investment is demonstrated in the MMBI survey data, as 77% of respondents disclosed that they have a dedicated function focused on data security and privacy, a considerable jump from 60% last year.
In addition, the majority of middle market executives understand the importance of carrying a cyber insurance policy. The RSM survey found that 68% of companies have such a policy, up from 61% last year. The data shows that the number of smaller companies that utilize cyber insurance rose slightly while larger companies with policies rose significantly to 70% from 57% in 2022.
Data privacy will likely soon become a priority of many middle market risk strategies, with state-level laws going into effect in California, Colorado, Connecticut, Iowa, Utah and Virginia and the scope of many others coming into focus. The basis of these laws is to specify who should collect and possess sensitive data and how to store it. Simply put, companies no longer need to just detail how information from customers and users is stored, but why they need that data in the first place. The inspiration for these U.S. laws is the European Union’s General Data Protection Regulation, a landmark piece of legislation that took effect in 2018 and served as a blueprint for other data privacy standards worldwide.
The MMBI research shows that data privacy is on the radar of most middle market companies, with 57% of executives disclosing they are familiar with the requirements of the GDPR, a slight decline from 2022. However, 96% of respondents report that preparing for emerging privacy legislation or regulations is at least a priority of minor importance, the same amount found in last year’s survey.
The cybersecurity environment is expected to remain volatile for middle market companies, with current threats projected to continue and new threats periodically emerging at the hands of skilled criminals. Benchmarking opportunities and perspectives from peers are critical tools to fight back against threats and develop effective cybersecurity strategies. To that end, RSM has developed this report to provide relevant middle market cybersecurity insights and data privacy trends, as well as to outline tactics organizations can utilize to strengthen security and privacy programs.