Persistent cybersecurity threats require a new look at protective strategies

RSM Principal David Llorens emphasizes how cybersecurity threats continue to expand. “A lot of companies that have never been targeted before are being targeted now,” he says. “And many of the cyber events that we see are from threat actors that sit in countries not friendly with the U.S.”

At the end of the day, most attacks are based on opportunity. Hackers are relentless and will work to find vulnerabilities to exploit within a company’s network, an entire industry or a broader ecosystem, says Matt Franko, an RSM principal.

“Hackers are like water,” Franko says. “They will flow to where they think they can get money, just like any other business.”

Companies must ensure that controls are up to date and protective measures are leveraged to take a proactive stance in the ongoing battle against cybercrime. They must improve their cybersecurity program and strategy, focusing on:

Key takeaways

1. More than a third of middle market managers reported increasing the amount of revenue dedicated to cybersecurity in the coming year.
2. More than 60% of executives have two or fewer internal security and privacy employees.
3. Budgets most often reside under the chief technology officer or chief information security officer.

Spending more does not necessarily ensure an effective strategy, RSM Principal Matt Franko cautions. “During COVID, many companies bought a lot of tools, and many of those had overlapping and redundant uses,” he says, adding that many companies are still seen as tool heavy right now, but may lack the right people and processes in place to take advantage of those investments.

Budgetary control is an important element in how a cybersecurity strategy is built. Companies emphasize cybersecurity in different ways in the middle market, and therefore, internal funding sources for the function can vary greatly.

The MMBI survey showed cybersecurity was most commonly located under the chief technology officer (51%) or the chief information security officer (42%), according to respondents whose companies had a dedicated function focused on data security and privacy. The report also showed that 34% of companies had cybersecurity budgets under the chief financial officer and 32% residing under the chief executive officer.

“Cybersecurity needs to have a dedicated budget because it’s a risk management function and oftentimes gets sacrificed over other priorities,” says Franko, who favors alignment under the CFO. “You only have so much money to spend, and you have to determine whether you are going to spend it to make money or protect yourself from losing money.”

From a staffing perspective, more than 60% of respondents have two or fewer data security and privacy employees. Not surprisingly, larger middle market organizations have more dedicated internal staff; 40% of those respondents have four individuals or more. Meanwhile, 27% of smaller middle market companies—the largest response in that subset—cited no internal personnel, but instead leverage external providers for data security. Another 7% of smaller middle market companies have no internal personnel and either are considering creating a dedicated function (3%) or are not considering creating a dedicated function (4%).

Within many companies, the question isn’t always about the number of people, but whether they are the right people for the job. In the last decade, companies have become much more dependent on technology, but IT departments may not have kept up with the change.

“Even if products and services are not tech-focused, technology is the highway the business runs on,” says RSM Principal David Llorens. “The moment you block that highway, the business is crippled. You then cannot trust data and you cannot effectively work with clients and customers because everything is interlinked.”

In more recent years, COVID-19 disrupted companies and pushed them to transition to a remote workforce, decentralizing control and effectively creating a larger attack surface.

“Companies adopted cloud and software-as-a-service strategies, but they have the same IT team,” Llorens says. “They may not understand how the data flows after having adopted the new technology.”

RSM Principal Tauseef Ghazi has observed skill gaps in internal IT departments. “Technology has advanced so much and become essential to every area of the business,” he says. “But in many cases, the internal skill set is not growing to match new technology.”

Meanwhile, in a competitive environment for skilled workers, cybersecurity personnel are difficult to hire and retain, a major factor Llorens cites when advocating for under-resourced companies to consider managed services strategies and other external support.

“There often is a knowledge gap where IT may not understand how to protect their environment—this is the direct value vendors and managed services firms can provide,” he says.

Key takeaways

1. Confidence in current cybersecurity strategies remains high (95%).
2. 76% of middle market managers carry a cyber insurance policy and 75% of those are familiar with their coverage.
3. Large gaps exist between how small and large firms leverage technology to address threats.

RSM Principal Tauseef Ghazi asserts that complacency may be a factor in that confidence, fueled in part by a false sense of security from having more information about incidents at executives’ disposal. “It’s not that breaches have gone away,” he says. “They have just become part of life, and often, someone else is taking care of them. Also, in the last year or so, when some people got compromised, they thought, ‘OK, we are fine, we will be back up and running in five days.’ But some organizations weren't fine.”

Responding to a breach can be expensive and labor intensive, and cyber insurance is one of the most popular measures organizations employ to protect themselves. Many policies have undergone significant changes in recent years, as insurers responded to rising costs by increasing premiums, reducing coverage limits and requiring certain cybersecurity measures by organizations before issuing policies. Even after these changes, cyber insurance is still one of the most effective tools companies have.

“Cyber insurance carriers almost act as a governing body by requiring certain controls,” says RSM Principal Matt Franko. “Companies need to make sure they are covered because nobody wants to get hit with an attack that costs them more money than necessary.”

He adds: “That would be a tough thing to tell the board or shareholders—that we just didn’t have the coverage because we didn’t implement the necessary controls.”

Cyber insurance use is trending up in the middle market, as more than three-quarters of respondents in the MMBI survey (76%) indicated they carry a policy. This represents a significant increase from 68% in last year's survey, and an even bigger jump from 61% just two years ago. Eighty-three percent of larger middle market companies reported having an active policy, up from 70% last year, while use in smaller middle market companies lagged slightly, rising to 72% from 67% in 2023.

Perhaps most importantly, understanding of coverage is increasing. Seventy-five percent of survey respondents carrying a policy indicated they are familiar with their policy, up from 62% last year. In fact, 52% of companies said they are very familiar with their coverage, a surge from just 22% in 2023.

“Each year the policies change,” says Daniel Gabriel, a principal at RSM, noting the resulting confusion. “So, the biggest thing, especially for middle market organizations, is understanding the limitations and expectations of policies. Many people buying cyber insurance may not completely understand their policy and what the implications are, and they may be losing coverage every year.”

Turning to preventive technologies, MMBI survey respondents had varying opinions on how cybersecurity tools are deployed within their organizations. Eighty-six percent of middle market executives rated their use of technology as excellent or good, while 82% said the same about their technology implementation, and 74% shared that sentiment about the value their tools generate.

However, significant gaps in confidence over tools exist between larger and smaller middle market organizations. Ninety-four percent of respondents at larger middle market firms said their use of technology to prevent or minimize threats is excellent or good, compared to 79% at smaller organizations. This disparity was even wider when the survey tracked positive feelings about implementing technology (93% vs. 73%) and generating value from technology (88% vs. 60%).

“Many tools are excellent, but they are often not optimized,” says Ghazi. “To be truly effective, tools must be tailored for a company’s environment, data, and the types of alerts and preferences they require. For example, if an advanced governance, risk and compliance (GRC) tool does not have effective workflows built in, it will not operate as intended.”

Whatever their size, companies need to focus on the effective implementation and operation of technology solutions, especially as options such as GRC tools gain traction as a valuable defense against cybercriminals. Several emerging solutions can automate GRC efforts, bringing more consistency, efficiency and insight to the process.

The need to maximize investment in modern, effective security tools is another factor leading companies to consider managed security services strategies for their cyber defenses, especially in the lower middle market.

“The cost of tools is hedged across multiple clients in many cases, making a higher level of protection much more affordable,” says Ghazi. “Benefits also emerge with personnel costs, because an analyst can monitor 20 clients at the same time with advanced automation, rather than a company hiring one person to manually monitor their environment.”

Key takeaways

1. Strategies must constantly evolve, especially as digital identity becomes more complex.
2. Providing access as needed is the most popular identity strategy, but may present challenges.
3. Only 11% of respondents said password use is outmoded, representing a major opportunity for improved security.

MMBI data indicates that middle market companies are in various stages of their digital journey, with 31% of executives saying their companies provide people with access as needed. In addition, 24% provide single identity solutions such as single sign-on for system access, while another 22% require disparate usernames and passwords.

“By providing access as needed, provisioning and deprovisioning access can be a nightmare,” says RSM Principal Tauseef Ghazi, noting that access privileges must be removed when no longer needed—in effect, provisioning and deprovisioning to ensure users only have access to necessary systems and applications.

“Usually, users aren’t telling you they no longer need access,” he says.

RSM Managing Director Chad Wolcott adds that the use of disparate usernames and passwords can result in a more secure environment but comes with a cost: a less seamless user experience.

“In some respects, having disparate usernames and passwords limits or minimizes your threat vectors,” he says. “If someone gets a credential, they can only access that area—versus a single sign-on approach where if someone gets that credential, they have access to everything that person has rights to.”

Authentication measures that don’t require passwords represent the future of data security, tying identity to specific users and/or devices and providing confirmation, typically through text messaging, email or biometrics. Even so, just 11% of executives in the RSM survey said their digital identity journey is this mature, with passwords a thing of the past.

This leaves significant opportunity to improve the user experience in the middle market, where businesses must balance their users’ desire for easier access with their own need for leading-edge security. Fortunately, identity and access management (IAM) strategies can deliver both.

Passwords are inherently vulnerable and can be relatively easily compromised in a number of ways. As threats persist, companies should work toward eliminating passwords from their environment as much as possible and creating a stronger, more user-friendly data security approach.

“We are definitely seeing a move toward passwordless authentication, especially from those who are focusing on their employee and customer user experience by not having to remember lots of passwords,” says Wolcott. “So, you don’t have to maintain the password—instead you may just pick up your phone and look at your face ID to gain access.”

Key takeaways

1. Ransomware attacks are holding steady, and remain a significant threat.
2. 41% of respondents from larger firms experienced at least one attack last year, compared to 21% of smaller firms.
3. Just over half of executives surveyed reported using governance, risk, and compliance or other tools.

With ransomware attacks remaining prominent in the middle market, companies cannot afford to lose focus. Incidents may not be as prevalent in the news cycle as in the past, but that does not make them less harmful.

“Everyone has gotten numb to ransomware,” says RSM Principal Daniel Gabriel. “But as international conflicts subside, it is going to be interesting to see what happens when groups and individuals no longer have that focus. They are going to turn around and start evaluating opportunities in the rest of the world.”

Larger middle market companies are a more popular target for hackers looking to collect ransom, with 41% of executives from those organizations reporting at least one attack or demand in the last year, compared to 21% of respondents at their smaller counterparts. However, that same subset of larger companies actually reported a 13% decrease in ransomware threats compared to last year, while smaller companies saw an 8% increase.

“Larger companies are spending more money on cyber, and monitoring controls have gotten better,” says RSM Principal Tauseef Ghazi. “But this is another connection point to a managed services strategy. It is hard to maintain the necessary monitoring to identify ransomware the minute it hits. You only have seconds, maybe minutes—not hours—to move it to quarantine and contain it.”

For companies that reported at least one attack in the last year, 28% said existing security measures were unsuccessful, 32% said they were partially successful and 40% said they were completely successful. Interestingly, the survey data showed very little difference in the success of ransomware defenses between smaller and larger middle market companies.

“There is really no material difference in the results for the organizations that have much higher spend and higher head count,” says RSM Managing Director Chad Wolcott.

Gabriel suggests that a change in ransomware strategies may be in order. “It’s much better to invest in the ability to rapidly detect, respond and recover than it is to protect,” he says. “It’s more important to get your company back up and running quickly, and then deal with the rest of the chaos. By resuming operations and making money again, you can at least pay for the chaos. But the pivot to that mentality hasn’t fully occurred, especially in the middle market.”

Many ransomware attacks are the result of vulnerabilities within third-party risk strategies. RSM survey data shows opportunities for middle market companies to improve those controls. For example, almost two-thirds of respondents (64%) regularly evaluate the cybersecurity controls of third parties and nearly 3 in 5 (58%) include service-level agreements and other data and security controls in contractual agreements.

In addition, just over half (53%) of the survey respondents use a governance, risk and compliance (GRC) or other tool to manage third-party risk management, half include critical third parties in business continuity and disaster recovery planning, and only 39% maintain a vendor inventory with vendors classified in accordance with a defined risk matrix. Implementing any—or a combination—of these strategies can mark a significant step toward mitigating potentially harmful third-party risks.

Key takeaways

1. U.S.-based companies face a complex patchwork of data privacy regulations.
2. 90% of executives cited preparing for emerging privacy legislation as an important priority.
3. 65% of respondents are familiar with Cybersecurity Maturity Model Certification regulations.

“The good thing is that most of these regulations have common principles and a lot of the same general language,” she says. “However, there are some nuances. For example, your company might be big enough to qualify as an entity that needs to comply with a law in one state, but not big enough under another state’s law. Domestically, companies really need to understand their operational footprint—where they sell their goods and services and where employees are based.”

Of course, companies with international operations must comply with security standards, such as the GDPR, where they do business.

“A lot of major countries already have established privacy laws, so we are not seeing as much of an increase in the regulatory landscape internationally,” says Gomez-Martin. “But as companies grow internationally, they still need to take those central factors into account—where they are selling their goods and services, and where employees are based.”

Gomez-Martin also cautions companies about some of the regulations that dictate oversight on data collected and transferred internationally, especially when information moves from one company to another. Many international frameworks require data to stay within certain geographical limits or require contracts to transfer it outside of those limits, she says, adding: “That is a huge concern internationally that may not affect companies that only have domestic operations.”

Amid the challenging regulatory environment, 90% of middle market executives in the MMBI survey cited preparing for emerging privacy legislation as an important priority—but that figure is a 6% drop from last year and the lowest level in survey history. Ninety-six percent of executives at larger middle market companies consider privacy a priority compared to 86% at smaller middle market organizations.

“The drop we see is probably due to not having a new regulation that is driving the focus,” says Charles Barley Jr., a principal at RSM. “But that does not mean those organizations are saying privacy is any less important. They still have the ongoing risk management responsibilities and the expectation to truly protect what we call the digital asset—what makes them ‘them,’ but in an electronic form.”

From a regulatory compliance perspective, the Cybersecurity Maturity Model Certification (CMMC) is a critical standard for U.S. companies that do business with the federal government. In response to the need for enhanced security measures, the U.S. Department of Defense introduced CMMC guidelines to enforce the security expectations that contractors and subcontractors in the defense industrial base are required to meet to protect controlled, unclassified information.

“If you've been a defense contractor since 2016, the Department of Defense already stated its expectations in any contract that you signed,” says Barley. “CMMC is just a vehicle that is placed on top of that requirement to prove through an independent verification arm that you are doing what you already signed up for. It's similar to Sarbanes-Oxley, when CFOs were forced to attest that they built internal controls to support the accuracy of what was shared in the market.”

Sixty-five percent of middle market executives surveyed said they are familiar with CMMC regulations. However, 85% of executives at larger middle market companies indicated they were familiar with the emerging standard, compared to just 48% of those at smaller organizations.

The DOD recently proposed a CMMC final rule—known as CMMC 2.0—with enforcement scheduled to begin in early 2025. But companies should not wait to implement new guidelines, as they represent cybersecurity best practices and being prepared will make working with the federal government a smoother process once the standard goes into effect.

“If organizations reduce CMMC to just a legal compliance activity, they're forgetting the importance of what it was really designed to do,” says Barley. “The entire DOD cyber expectation is designed to help all the suppliers protect national security—whether you are a retail company that helps troops have a similar lifestyle if they are at home or abroad protecting our liberties, or a manufacturer that produces the engine or the jet fuel that goes into F-35 fighters.”

Even If companies are not currently working with the U.S. government, becoming a contractor should be a consideration for growth. Federal contracts are very lucrative for many middle market companies, and they represent a consistent source for sales and can open the door to many other potential sales opportunities.

Barley emphasizes the potential benefits of working with government entities. “The federal government will always be there,” he says. “I would never say it’s truly recession-proof, but they always have to find a way to provide services to execute our national security strategy.”

Key takeaways

1. 55% of middle market companies moved to the cloud as a result of security concerns, a record high in RSM’s research.
2. 65% of larger organizations moved to the cloud, compared to 45% of smaller companies.
3. 89% of respondents feel more secure with their data in the cloud.

“Use of the cloud for security purposes is getting normalized, and as it does, companies feel like the tools they are getting are more secure,” says RSM Principal Tauseef Ghazi.

Most importantly, the move to the cloud for security reasons appears to be successful, as 89% of survey respondents said they felt more secure with their data in the cloud. Larger middle market companies appeared particularly confident, with 62% of executives indicating they were much more secure, up 22% from last year’s survey and reaching the highest level ever.

Despite the confidence in the security of cloud-based systems and data, companies still need to be careful to ensure their assets are sufficiently protected, especially after an initial move to the cloud.

“While these established cloud platforms have a ton of security tools and products, by default, none of that is activated,” says RSM Principal Daniel Gabriel. “Organizations struggle with understanding what is already active and what they have to turn on, and that can have cost implications. Companies need to turn on or opt into security options, and they may not understand the details when they first move onto these platforms.”

In addition, even in a cloud environment, companies need to remember that they are still ultimately responsible for the security of their proprietary data.

Cybersecurity attacks are elevated and potential threats loom, leaving middle market companies at substantial risk. Many companies have become complacent about cybersecurity amid fatigue after consistently hearing about risks and attacks for several years. But hackers are persistent and will take advantage of any vulnerabilities or control gaps in an organization’s defenses.

Middle market companies need to evaluate their strategies to resist and respond to attacks and take advantage of opportunities to strengthen their cybersecurity strategy. Potential adjustments include optimizing existing security tools, implementing modern identity access plans and leveraging managed security services to augment internal IT personnel who often can’t keep up with evolving cybersecurity concerns and regulatory demands.

The cybersecurity landscape is complex, and addressing challenges certainly is not easy. But companies must remain vigilant to protect sensitive data and ensure sustainable operations.