In recent years, cybersecurity has been a considerable concern for middle market companies, although the specific threats are constantly in flux. Last year was no different, as organizations encountered a roller coaster of risks, from lingering threats related to the COVID-19 pandemic to geopolitical conflicts and economic uncertainty underscored by the war in Ukraine. As is often the case, bad actors in cyberspace could come from a variety of angles on any given day.
However, there is good news. The number of breaches reported among middle market companies is slightly dropping as protections become more available and executives understand the consequences related to potential incidents. But even with enhanced protections in place, companies cannot afford to let their guard down. It’s a constant battle against those who seek to access files, systems or funds illicitly—being reactive instead of proactive is no longer an option.
Middle market leaders provided insight into the evolution of their cybersecurity approaches in a 2022 first quarter RSM US Middle Market Business Index survey. The survey polled 402 middle market executives about cybersecurity and data privacy challenges, detailing the frequency and severity of attacks, while providing a glimpse into how the largest segment of the U.S. economy is implementing controls and strategies to address security threats. In many cases, survey research provides specific data for both smaller ($10 million to less than $50 million in revenue) and larger ($50 million to $1 billion in revenue) middle market organizations.
According to the MMBI data, 22% of middle market executives claimed that their company experienced a data breach in the last year, falling from 28% in last year’s survey. Larger middle market organizations were most at risk once again (30%) compared to their smaller counterparts (12%).
Even with the decline in reported attacks, companies recognize the risks in the current dynamic threat environment, with 72% of executives anticipating that unauthorized users will attempt to access data or systems in 2022, a sharp rise from 64% last year and the highest number since RSM began tracking data in 2015. In response, more middle market companies are embracing a managed services approach with third-party providers. This response is demonstrated in the survey, as 60% of respondents disclosed that they have an internal, dedicated data security and privacy function, down from 71% last year.
“Middle market companies are increasingly interested in exploring managed security services and outsourcing their security monitoring processes,” said Tauseef Ghazi, national leader of security and privacy services at RSM US LLP. “It is getting clear to middle market companies that building this competency in-house is not a cost-effective proposition and never amounts to the quality or rigor needed to perform this function properly. Managed security service providers have established a method of building the appropriate skills and scalable technology platforms for such operations; hence, outsourcing these functions has become extremely attractive.”
Cyber insurance also continues to be a key element of cybersecurity strategies for the majority of middle market executives. The RSM survey found that 61% of companies carry such a policy, a slight drop from last year’s 65%. The number of smaller middle market companies carrying cyber insurance slightly increased this year, while their larger counterparts reported a significant drop in coverage.
The data privacy landscape continues to evolve in the United States, with constant dialogue about who should collect and possess sensitive data, and how it should be stored. The discussion is no longer just about how information is secured but why organizations need that data in the first place. The European Union’s General Data Protection Regulation, known as GDPR, was a trailblazing piece of legislation that went into effect in 2018 and has served as a blueprint for data privacy standards worldwide.
For example, the GDPR has inspired data privacy regulations in several U.S. states, including the well-known California Consumer Privacy Act. At least 15 other states have some level of data privacy standard, and because of bipartisan support, federal guidelines are likely at some point.
As companies contend with more data privacy regulations as time goes by, awareness will be critical to avoid potential penalties. With that in mind, RSM MMBI data shows that 58% of middle market executives are familiar with GDPR requirements, a slight increase from 2021. In addition, 96% of executives report that preparing for emerging privacy legislation or regulations is of at least minor importance, similar to last year’s findings.
Middle market companies face an increasingly volatile cybersecurity environment, with threats coming from more directions than ever before and more skilled criminals targeting the segment. To help ensure effective strategies and controls are in place, companies must take advantage of benchmarking opportunities and learn from the experiences of their peers.