Middle market companies possess a significant amount of valuable data but continue to lack appropriate levels of protective controls and staffing, according to a report from RSM US and the U.S. Chamber of Commerce.
Middle market companies and data breaches
The results revealed that 28% of middle market leaders claimed that their company experienced data breaches in the last year, a sharp rise from 18% in last year’s survey and the highest level since 2015. Many leaders attributed this increase to challenges created by COVID-19.
According to the survey, 33% of middle market executives said they experienced a ransomware attack or demand in 2020, the highest number since ransomware became a focus of the data four years ago, and a 10% increase from last year. Fifty-one percent said that outside parties attempted to manipulate employees by pretending to be trusted third parties or company executives, a 2% increase from 2019.
Additionally, 45% of social engineering attacks were successful last year, a spike from 28% in the previous year. Attempts were much more successful at larger middle market companies, with 67% reporting that manipulation attempts worked and 43% reporting a ransomware attack, compared to 19% and 24% at smaller organizations, respectively.
Of the organizations that experienced a ransomware or social engineering attack, 67% said their business experienced an attack as an indirect result of the COVID-19 pandemic, with the most common attack based on exploiting vulnerabilities from employees working remotely.
“The pandemic altered the threat landscape in the middle market due to the rapid large-scale shift to a remote work environment and more dependency was placed on the internet to remain productive. Many companies simply did not have experience managing such a transition, and security vulnerabilities—even for a short amount of time—were almost inevitable,” said Tauseef Ghazi, RSM national leader of security and privacy services.
“The middle market is still under immense pressure from hackers and that is not likely to change any time soon, but the tide may be slightly turning, as executives make adjustments to staffing, controls and security policies, and begin to see the benefits of those investments. Middle market leaders generally understand that they are not too small for criminals to ignore, and that keeping pace with security and privacy advancements can go a long way to discouraging and deflecting breach attempts.”
With the growing frequency of breach attempts and the unknown road back to normal in the wake of the pandemic, 64% of respondents anticipate that unauthorized users will attempt to access data or systems in 2021, a significant increase from 55% for expectations in both 2019 and 2020.
The highest number in survey history saw the social engineering threat growing this year, with 70% of respondents saying their organization is at risk of an attack by manipulating employees in the next 12 months, an increase of 7% from last year.
However, while the cyber threat continues to grow in size and scale, the middle market is responding by increasing its investment in a variety of protective measures, with 71% of respondents having a dedicated function focused on data security and privacy, which is consistent with last year’s findings.
Ongoing efforts to limit cybersecurity risks
“While some patterns of cybercriminals are hard to predict, one is highly predictable: when economies and societies go through massive change, bad actors will try to exploit cyber vulnerabilities. Americans have enough to worry about with economic uncertainty, health precautions, job losses and so forth, and we want to ensure business owners have the right tools to increase the security of their virtual working environments,” said Vincent Voci, executive director of cyber policy and operations at the U.S. Chamber of Commerce.
“This annual report provides key data points, recommendations and expert opinions that will help midsized businesses better understand their risk profile and inform their risk management processes.”
93% of middle market executives claim that they are confident in their current measures to safeguard data. Companies are showing some indications that they may be moving toward better controlling risks in the future or at least lessening their impact, with 90% of middle market leaders taking specific actions due to publicized data security breaches.
With cyber risks increasing, companies have made security one of the top technology investment priorities, and one of the most in-demand skill sets. Organizations took a wide variety of actions in response to publicized data security breaches in the past year and updated existing processes.
Most notably, 33% of middle market executives reported they added data security staff, a record high for this survey.
Training is recognized as one of the best defenses against hackers, and 90% of survey respondents said their organizations provide training to at least some employees on how to detect, identify and prevent attempts to gain unauthorized access, an 8% increase over last year’s data. Of the organizations that had unsuccessful social engineering attacks, 88% listed employees not acting on the fraudulent request as a reason for the failed breach.
A consistent number of middle market executives are also using the cloud to increase data security. Forty percent detailed moving or migrating data to the cloud for security concerns in the past year, and 88% of executives who made the move believe the data stored there is more secure.
Cyber insurance has become a key pillar of an effective cybersecurity strategy, and given the increased amount of attempted and successful breaches, it has never been more valuable to middle market companies.
Sixty-five percent of respondents currently use a cyber insurance policy to protect against internet-based risks. And, in addition to the steady rise in coverage overall, more middle market executives know what their specific coverages are.
Among middle market organizations that carry cyber insurance policies, 64% of executives reported that they are familiar with their cyber insurance policy coverage, a sharp increase from 48% last year.
Beyond the proactive measures companies are taking, data privacy and security continues to require an increasing amount of attention and focus from middle market leaders. Since GDPR was implemented in 2018, the U.S. has seen more than a dozen individual state data privacy laws go into effect, including the well-publicized CCPA.
Many middle market companies are subject to GDPR regulations, and awareness of the standard is growing. 55% of executives said they are familiar with the requirements of the law, a 16% increase from last year.
With data privacy becoming more of a focus in the U.S., many middle market companies understand they will likely need to adhere to new laws in the near future, with 92% indicating their organizations will likely have to comply with privacy legislation similar to the GDPR at a state or federal level during the next two years, a 9% increase.
The impact of an increasingly global economy
With geographic boundaries less significant as the economy goes increasingly global, many U.S.-based companies already have business interests in the U.K, or may be considering future expansion to the region, prompting considerations regarding the future of cybersecurity in the U.K.
One and a half times as many middle market executives in the U.S. reported a ransomware attack than in the U.K. in 2020, 33% compared to 22%. Additionally, 64% of U.S. respondents expect unauthorized users to attempt to access data or systems in 2021 compared to 73% in the U.K.
“We know many businesses here in the U.K. are facing significant challenges around managing the impact the pandemic has had. With employees working remotely and not being fully safeguarded by corporate infrastructures, recognizing and mitigating against cyber threats is more important than ever,” said Sheila Pancholi, technology risk assurance and cybersecurity partner at RSM U.K.
“With U.S. middle market firms engaged in advanced digital transformation to help prepare for the future of cybercrime, analysts believe that the ‘digital maturity’ of U.S. businesses is a few years ahead of their U.K. counterparts.
“In general, we see the average U.K. business being two to five years behind their average U.S. counterpart in this, though there are of course many exceptions to the average. With the digital expansion of U.K. businesses there will also, inevitably, be more potential points of cyber vulnerability.”