Middle market remains vulnerable to cyberattacks, but controls improve

Given the prevalence of cybersecurity risks, middle market companies generally understand that a data breach is likely at some point. With that in mind, some with mature security programs are shifting to an “assume compromise” perspective, which presumes a threat actor is already present. In a consistently challenging threat environment, leadership needs to continue focusing on putting effective controls in place to shield their companies and minimize risks as much as possible.

Despite the growing complexity of effective cybersecurity management, 96% of middle market executives in the Q1 2026 RSM US Middle Market Business Index survey reported that they are either very or somewhat confident in their current measures to safeguard data, similar to last year.

Risks and vulnerabilities are also largely unchanged. “Many issues are pretty consistent from what we saw last year,” says Rich Servillas, a director at RSM US LLP. “Exposed edge devices are the dominant initial access vector. Many events are also attributed to gaps in a victim’s firewall, as well as virtual private network (VPN) and multifactor authentication (MFA) issues. It’s a lot of low-hanging fruit.”

Many of the industries targeted by threat actors have stayed consistent as well, with financial services, health care and manufacturing entities at high risk.

“Health care organizations, as well as school districts, municipalities and regional manufacturers all share the same profile,” Servillas says. “High operational pressure, limited budgets and low tolerance for downtime. Threat actors have figured out that leverage, not sophistication, is what drives payment. Municipal entities and K-12 schools have become priority targets for lone wolf and mid-tier affiliate operators because they combine operational pressure with typically low security maturity.”

Ransomware represents a continued threat to operations and sustainability. In the Q1 2026 RSM US MMBI survey, 24% of middle market companies reported experiencing at least one ransomware attack or demand in the last 12 months, similar to last year. Larger companies, with more attractive data and financial assets, were prime targets for criminals: 30% of respondents experienced at least one attack or attempt compared to 20% of smaller counterparts.

“With ransomware, I think about what actually causes people to pay,” says Servillas. “A few years ago, it was almost always about backups, because victims often didn't have good redundancy in place, so they had to pay to get their data back and stay in business. That's shifted. Now more often they're paying to keep stolen data from being leaked. It's not advised to pay, but when the data is sensitive enough, the decision gets harder.”

Like other cyberthreats, ransomware attacks have intensified with the use of AI. Enhanced automation has increased the ease and quality of business email compromise attacks, while also enhancing spear phishing and vishing attacks, where an attacker may pretend to be a help desk employee, for example.

“We're seeing early signs of AI in how threat actors communicate, with cleaner language, faster responses and more consistent tone,” says Servillas. “The bigger shift is who's using it. The ransomware-as-a-service era is fading, and more of what we're responding to is lone-wolf operators. AI is what's making them dangerous. It's closing the gap between a sophisticated attacker and someone who wouldn't have been a threat 18 months ago. We're not yet seeing attacks run entirely by AI, but that's where this is trending.”

"However, Servillas sees some promising signals from control strategies in the middle market. “A lot of companies are making meaningful progress,” he says. “The conversations are shifting from ‘We are completely down,’ to ‘We believe we caught the activity while it was still unfolding and were able to contain it.’"

“Endpoint detection and response (EDR) maturity has genuinely improved outcomes, and we are seeing more and more incidents getting contained at the initial access or lateral movement phase, prior to encryption,” Servillas continues. “In addition, managed detection and response services are helping accelerate middle market wins. We do see a lot of organizations that don't have 24/7 in-house security operations center coverage—but it's nice to see some advancements driving forensic and breach costs down.”