Reported breaches down slightly as organizations sharpen focus on cybersecurity challenges; 68% of middle market companies currently utilize a cyber insurance policy
Cybersecurity attacks remain a risk to middle market businesses as the threat environment evolves with ongoing geopolitical tensions, economic uncertainty and the lingering effects of the COVID-19 pandemic, according to the RSM US Middle Market Business Index (MMBI) Cybersecurity Special Report, presented by RSM US LLP (“RSM”) in partnership with the U.S. Chamber of Commerce.
The RSM MMBI survey shows that while breach risks remain elevated, the number of reported breaches has fallen slightly for the second-straight year. Twenty percent of middle market executives reported their company experienced a data breach in the last year, representing a slight decline from 22% a year ago. Despite the decline in reported breaches, the amount is still twice as high as it was seven years ago. The number of executives at smaller middle market companies ($10 million to less than $50 million in revenue) that reported a breach remained consistent with last year’s data (12%), while larger organizations ($50 million to $1 billion in annual revenue) reported a decline in breaches (30% in 2022 to 28% this year).
“While cybersecurity threats have been a concern for years, the biggest amount of digital transformation that you could have imagined in the middle market has taken place because of the COVID-19 pandemic,” said Tauseef Ghazi, national leader of security and privacy with RSM US LLP. “The pandemic resulted in a seismic shift in the entire business environment, with aftereffects still being felt today. But with those dramatic changes, middle market companies have also made strategic process changes that show how seriously they are taking cybersecurity. In 2020, middle market companies were scrambling to find and implement solutions. In 2021, companies were working through their new environments and making necessary adjustments. Now, three years since the start of the pandemic, everything is up and running and it’s a new way of managing the business.”
The MMBI survey results show that middle market businesses are taking proactive steps to mitigate cybersecurity threats, as indicated by the 68% of respondents who stated they currently utilize a cyber insurance policy to protect against internet-based risks. This is an increase from 61% in last year’s report. A closer look at the data shows that the number of smaller middle market companies with cyber insurance increased to 67% from 65% in 2022, while larger companies that reported carrying a policy jumped significantly to 70% this year from 57% in 2022.
The report details relevant middle market cybersecurity insights and data privacy trends, along with tactics organizations can use to strengthen security and privacy programs.
Ransomware Attacks and Business Takeover Threats Increasing, Employee Manipulation Tactics a Key Concern
Consistent with previous years, ransomware remains the primary cybersecurity threat to the middle market, with attacks resulting in several layers of harmful consequences. In this year’s MMBI data, 35% of middle market executives disclosed that they experienced a ransomware attack or demand, up from 23% last year. Larger middle market companies reported a sizable increase in attacks with 54% this year compared to 29% in last year’s report, while smaller organizations saw a slight decline in incidents to 13% from 16% last year.
Business takeover threats are one of the most persistent and pervasive cybersecurity attacks to middle market companies. The reported frequency of business takeover attempts increased significantly in this year’s data, with 58% of middle market executives indicating that outside parties attempted to manipulate employees by pretending to be trusted third parties or company executives, compared to 45% last year. Executives at smaller middle market companies reported a small increase in attacks to 53% this year from 51% in 2022, while larger companies indicated a sharp jump in incidents to 63% from 40%.
Surveyed executives also reported that 48% of attempts to manipulate employees were successful over the last year, a considerable increase from 27% in 2022’s data. Larger middle market organizations showed the largest increase, reporting a 68% success rate for attacks, compared to 38% just last year. Smaller middle market companies reported a small increase this year, up to 21% from 15%.
Companies Taking Cyber Threats Seriously and Continuing to Respond
Most middle market companies understand the value of training as a defense against business takeover attacks, with 89% of executives reporting their organization provides training to at least some employees on how to detect, identify and prevent attempts to gain unauthorized access, consistent with last year’s data. Larger middle market companies appear to offer training to more employees, with 97% providing training to some or all employees, compared to 81% of smaller counterparts.
Additionally, confidence in cybersecurity strategies remains very high in the middle market. For the second-straight year, 96% of respondents were confident in their current measures to safeguard data, matching last year’s record high. RSM attributes some of the high confidence to the increase in cloud adoption as well as an apparent shift in strategy to invest in more cybersecurity resources. The number of executives who reported a dedicated function focused on security and privacy increased significantly to 77% this year, up from 60% in last year’s survey.
Many middle market companies also appear to have changed their reporting structure in the last year. In this year’s survey, 40% of executives reported that the person most responsible for data security and privacy reports directly to the CEO, an increase from 25% last year. That number fell slightly at smaller middle market companies (38% in 2022 to 33% in 2023), while it rose significantly at larger organizations (16% to 43%).
“According to a recent U.S. Chamber report, regulation, including cyber specific regulation, has dramatically increased over the last decade,” said Vincent Voci, vice president, cyber policy and operations at the U.S. Chamber of Commerce. “While the pace of government regulations has increased, so too have cyber threats against the public and private sectors. Despite a flurry of regulations, we have not, in fact, regulated our way to a safer, more secure cyberspace. Midsize businesses should monitor regulations along four categories of cyber public policy risk in particular, including sector specific cybersecurity regulations, incident reporting or public disclosure, common cybersecurity standards, and state-by-state approaches to cybersecurity regulations.”
Only 57% percent of executives in the survey said they are familiar with the requirements of the European Union’s General Data Protection Regulation (GDPR). This indicates a plateau from 58% in 2022, despite increased awareness and enforcement activity. Consistent with past years, respondents from larger organizations were more familiar with GDPR requirements than those at smaller organizations—84% versus 28%.
With the expansion of privacy laws and regulations across the United States, the majority of middle market businesses understand they will likely need to adhere to compliance obligations in the near future. Among RSM survey respondents familiar with GDPR requirements, 90% said their organizations would likely have to comply with privacy requirements similar to the GDPR at a federal or state-level in the United States during the next two years. Ninety-six percent of executives who are familiar with the GDPR said preparing for emerging privacy laws and regulations is a priority, identical to last year’s response.
The survey data that informs this index reading was gathered from 406 respondents between January 9 and January 30, 2023.
Visit AITechPark for cutting-edge Tech Trends around AI, ML, Cybersecurity, along with AITech News, and timely updates from industry professionals!
